IDENTITY AND ACCESS MANAGEMENT ARCHITECT Flashcards
(248 cards)
1
Q
Universal Containers wants to secure its Salesforce APIs by using an existing Security Assertion Markup Language (SAML) configuration supports the company’s single sign-on process to Salesforce,
Which Salesforce OAuth authorization flow should be used?
A. OAuth 2.0 SAML Bearer Assertion Flow
B. A SAML Assertion Row
C. OAuth 2.0 User-Agent Flow
D. OAuth 2.0 JWT Bearer Flow
A
Answer: B
2
Q
An identity architect’s client has a homegrown identity provider (IdP). Salesforce is used as the service provider (SP). The head of IT is worried that during a SP initiated single sign-on (SSO), the Security Assertion Markup Language (SAML) request content will be altered.
What should the identity architect recommend to make sure that there is additional trust between the SP and
the IdP?
A . Ensure that there is an HTTPS connection between IDP and SP.
B . Ensure that on the SSO settings page, the ‘Request Signing Certificate’ field has a self-signed certificate.
C . Ensure that the Issuer and Assertion Consumer service (ACS) URL is property configured between SP and IDP.
D . Encrypt the SAML Request using certification authority (CA) signed certificate and decrypt on IdP.
A
Answer: D
3
Q
A public sector agency is setting up an identity solution for its citizens using a Community built on Experience Cloud and requires the new user registration functionality to capture first name, last name, and phone number. The phone number will be used for identity verification.
Which feature should an identity architect recommend to meet the requirements?
A . Integrate with social websites (Facebook, Linkedin. Twitter)
B . Use an external Identity Provider
C . Create a custom Lightning Web Component
D . Use Login Discovery
A
Answer: D
4
Q
Northern Trail Outfitters would like to use a portal built on Salesforce Experience Cloud for customer selfservice. Guests of the portal be able to self-register, but be unable to automatically be assigned to a contact record until verified. External Identity licenses have bee purchased for the project. After registered guests complete an onboarding process, a flow will create the appropriate account and contact records for the user.
Which three steps should an identity architect follow to implement the outlined requirements?
Choose 3 answers
A . Enable ‘Allow customers and partners to self-register’.
B . Select the ‘Configurable Self-Reg Page’ option under Login & Registration.
C . Set jp an external login page and call Salesforce APIs for user creation.
D . Customize the self-registration Apex handler to temporarily associate the user to a shared single contact
record.
E . Customize me self-registration Apex handler to create only the user record.
A
Answer: A, B, E
5
Q
Northern Trail Outfitters (NTO) believes a specific user account may have been compromised. NTO inactivated the user account and needs U perform a forensic analysis and identify signals that could Indicate a breach has occurred.
What should NTO’s first step be in gathering signals that could indicate account compromise?
A . Review the User record and evaluate the login and transaction history.
B . Download the Setup Audit Trail and review all recent activities performed by the user.
C . Download the Identity Provider Event Log and evaluate the details of activities performed by the user.
D . Download the Login History and evaluate the details of logins performed by the user.
A
Answer: D
6
Q
When designing a multi-branded Customer Identity and Access Management solution on the Salesforce Platform, how should an identity architect ensure a specific brand experience in Salesforce is presented?
A . The Experience ID, which can be included in OAuth/Open ID flows and Security Assertion Markup Language
(SAML) flows as a URL parameter.
B . Provide a brand picker that the end user can use to select its sub-brand when they arrive on salesforce.
C . Add a custom parameter to the service provider’s OAuth/SAML call and implement logic on its login page
to apply branding based on the parameters value.
D . The Audience ID, which can be set in a shared cookie.
A
Answer: A
7
Q
Northern Trail Outfitters (NTO) has an off-boarding process where a terminated employee is first disabled in the Lightweight Directory Act Protocol (LDAP) directory, then requests are sent to the various application support teams to finish user deactivations. A terminated employee recently was able to login to NTO’s Salesforce instance 24 hours after termination, even though the user was disabled in the corporate LDAP directory.
What should an identity architect recommend to prevent this from happening in the future?
A . Create a Just-in-Time provisioning registration handler to ensure users are deactivated in Salesforce as they
are disabled in LDAP.
B . Configure an authentication provider to delegate authentication to the LDAP directory.
C . use a login flow to make a callout to the LDAP directory before authenticating the user to Salesforce.
D . Setup an identity provider (IdP) to authenticate users using LDAP, set up single sign-on to Salesforce and disable Login Form authentication.
A
Answer: B
8
Q
A university is planning to set up an identity solution for its alumni. A third-party identity provider will be used for single sign-on Salesforce will be the system of records. Users are getting error messages when logging in.
Which Salesforce feature should be used to debug the issue?
A . Apex Exception Email
B . View Setup Audit Trail
C . Debug Logs
D . Login History
A
Answer: D
9
Q
An insurance company has a connected app in its Salesforce environment that is used to integrate with a Google Workspace (formerly knot as G Suite). An identity and access management (IAM) architect has been asked to implement automation to enable users,
freeze/suspend users, disable users, and reactivate existing users in Google Workspace upon similar actions in
Salesforce.
Which solution is recommended to meet this requirement?
A . Configure user Provisioning for Connected Apps.
B . Update the Security Assertion Markup Language Just-in-Time (SAML JIt; handler in Salesforce for user
provisioning and de-provisioning.
C . Build a custom REST endpoint in Salesforce that Google Workspace can poll against.
D . Build an Apex trigger on the useriogin object to make asynchronous callouts to Google APIs.
A
Answer: A
10
Q
Universal Containers is creating a web application that will be secured by Salesforce Identity using the OAuth 2.0 Web Server Flow uses the OAuth 2.0 authorization code grant type).
Which three OAuth concepts apply to this flow?
Choose 3 answers
A . Verification URL
B . Client Secret
C . Access Token
D . Scopes
A
Answer: B, C, D
11
Q
An administrator created a connected app for a custom wet) application in Salesforce which needs to be visible as a tile in App Launcher The tile for the custom web application is missing in the app launcher for all users in Salesforce. The administrator requested assistance from an identity architect to resolve the issue.
Which two reasons are the source of the issue?
Choose 2 answers
A . StartURL for the connected app is not set in Connected App settings.
B . OAuth scope does not include ‘openid*.
C . Session Policy is set as ‘High Assurance Session required’ for this connected app.
D . The connected app is not set in the App menu as ‘Visible in App Launcher’.
A
Answer: A, C
12
Q
Northern Trail Outfitters (NTO) recently purchased Salesforce Identity Connect to streamline user provisioning across Microsoft Active Directory (AD) and Salesforce Sales Cloud. NTO has asked an identity architect to identify which salesforce security configurations can map to AD permissions.
Which three Salesforce permissions are available to map to AD permissions?
Choose 3 answers
A . Public Groups
B . Field-Level Security
C . Roles
D . Sharing Rules
E . Profiles and Permission Sets
A
Answer: A, C, E
13
Q
An identity architect is setting up an integration between Salesforce and a third-party system. The third-party system needs to authenticate to Salesforce and then make API calls against the REST API.
One of the requirements is that the solution needs to ensure the third party service providers connected app
in Salesforce mini need for end user interaction and maximizes security.
Which OAuth flow should be used to fulfill the requirement?
A . JWT Bearer Flow
B . Web Server Flow
C . User Agent Flow
D . Username-Password Flow
A
Answer: A
14
Q
Northern Trail Outfitters (NTO) uses Salesforce for Sales Opportunity Management. Okta was recently brought in to Just-in-Time (JIT) provision and authenticate NTO users to applications. Salesforce users also use Okta to authorize a Forecasting web application to access Salesforce records on their behalf.
Which two roles are being performed by Salesforce?
Choose 2 answers
A . SAML Identity Provider
B . OAuth Client
C . OAuth Resource Server
D . SAML Service Provider
A
Answer: B, D
15
Q
A multinational industrial products manufacturer is planning to implement Salesforce CRM to manage their business. They have the following requirements:
- They plan to implement Partner communities to provide access to their partner network .
- They have operations in multiple countries and are planning to implement multiple Salesforce orgs.
- Some of their partners do business in multiple countries and will need information from multiple Salesforce
communities. - They would like to provide a single login for their partners.
How should an Identity Architect solution this requirement with limited custom development?
A . Create a partner login for the country of their operation and use SAML federation to provide access to
other orgs.
B . Consolidate Partner related information in a single org and provide access through Salesforce community.
C . Allow partners to choose the Salesforce org they need information from and use login flows to authenticate
access.
D . Register partners in one org and access information from other orgs using APIs.
A
Answer: A
16
Q
Universal Containers want users to be able to log in to the Salesforce mobile app with their Active Directory password. Employees are unable to use mobile VPN.
Which two options should an identity architect recommend to meet the requirement?
Choose 2 answers
A . Active Directory Password Sync Plugin
B . Configure Cloud Provider Load Balancer
C . Salesforce Trigger & Field on Contact Object
D . Salesforce Identity Connect
A
Answer: A, D
17
Q
Universal Containers (UC) has an Experience Cloud site (Customer Community) where customers can authenticate and place orders, view the status of orders, etc. UC allows guest checkout.
Mow can a guest register using data previously collected during order placement?
A . Enable Security Assertion Markup Language Sign-On and use a login flow to collect only order details to
retrieve customer data.
B . Enable Facebook as an authentication provider and use a registration handler to collect only order details
to retrieve customer data.
C . Use a Connected App Handler Apex Plugin class to collect only order details to retrieve customer data.
D . Enable self-registration and customize a self-registration page to collect only order details to retrieve
customer data.
A
Answer: D
18
Q
Northern Trail Outfitters (NTO) employees use a custom on-premise helpdesk application to request, approve, notify, and track access granted to various on-premises and cloud applications, including Salesforce. Salesforce is currently used to authenticate users.
How should NTO provision Salesforce users as soon as they are approved in the helpdesk application with the
approved profiles and permission sets?
A . Build an integration that performs a remote call-in to the Salesforce SOAP or REST API.
B . Use a login flow to query the helpdesk to validate user status.
C . Have the helpdesk initiate an IdP-initiated Just-m-Time provisioning Security Assertion Markup Language
flow.
D . Use Salesforce Connect to integrate with the helpdesk application.
A
Answer: B
19
Q
Universal Containers allows employees to use a mobile device to access Salesforce for daily operations using a hybrid mobile app. This app uses Mobile software development kits (SDK), leverages refresh token to regenerate access token when required and is distributed as a private app. The chief security officer is rolling out an org wide compliance policy to enforce re-venfication of devices if an
employee has not logged in from that device in the last week.
Which connected app setting should be leveraged to comply with this policy change?
A . Scope - Deny refresh_token scope for this connected app.
B . Refresh Token Policy - Expire the refresh token if it has not been used for 7 days.
C . Session Policy - Set timeout value of the connected app to 7 days.
D . Permitted User - Ask admins to maintain a list of users who are permitted based on last login date.
A
Answer: B
20
Q
A company wants to provide its employees with a custom mobile app that accesses Salesforce. Users are required to download the internal native IOS mobile app from corporate intranet on their mobile device. The app allows flexibility to access other Non Salesforce internal applications once users authenticate with
Salesforce. The apps self-authorize, and users are permitted to use the apps once they have logged into
Salesforce.
How should an identity architect meet the above requirements with the privately distributed mobile app?
A . Use connected app with OAuth and Security Assertion Markup Language (SAML) to access other Non Salesforce internal apps.
B . Configure Mobile App settings in connected app and Salesforce as identity provider for non-Salesforce internal apps.
C . Use Salesforce as an identity provider (IdP) to access the mobile app and use the external IdP for other nonSalesforce internal apps.
D . Create a new hybrid mobile app and use the connected app with OAuth to authenticate users for Salesforce and non-Salesforce internal apps
A
Answer: B
21
Q
A global company is using the Salesforce Platform as an Identity Provider and needs to integrate a third-party application with its Experience Cloud customer portal.
Which two features should be utilized to provide users with login and identity services for the third-party application?
Choose 2 answers
A . Use the App Launcher with single sign-on (SSO).
B . External a Data source with Named Principal identity type.
C . Use a connected app.
D . Use Delegated Authentication.
A
Answer: A, C
22
Q
Northern Trail Outfitters manages application functional permissions centrally as Active Directory groups. The CRM_Superllser and CRM_Reportmg_SuperUser groups should respectively give the user the SuperUser and Reportmg_SuperUser permission set in Salesforce. Salesforce is the service provider to a Security Assertion
Markup Language (SAML) identity provider.
Mow should an identity architect ensure the Active Directory groups are reflected correctly when a user accesses Salesforce?
A . Use the Apex Just-in-Time handler to query standard SAML attributes and set permission sets.
B . Use the Apex Just-in-Time handler to query custom SAML attributes and set permission sets.
C . Use a login flow to query custom SAML attributes and set permission sets.
D . Use a login flow to query standard SAML attributes and set permission sets.
A
Answer: B
23
Q
A financial enterprise is planning to set up a user authentication mechanism to login to the Salesforce system. Due to regulatory requirements, the CIO of the company wants user administration, including passwords and authentication requests, to be managed by an external system that is only accessible via a SOAP webservice.
Which authentication mechanism should an identity architect recommend to meet the requirements?
A . OAuth Web-Server Flow
B . Identity Connect
C . Delegated Authentication
D . Just-in-Time Provisioning
A
Answer: C
24
Q
A real estate company wants to provide its customers a digital space to design their interior decoration options. To simplify the registration to gain access to the community site (built in Experience Cloud), the CTO has requested that the IT/Development team provide the option for customers to use their existing socialmedia credentials to register and access.
The IT lead has approached the Salesforce Identity and Access Management (IAM) architect for technical direction on implementing the social sign-on (for Facebook, Twitter, and a new provider that supports standard OpenID Connect (OIDC)).
Which two recommendations should the Salesforce IAM architect make to the IT Lead?
Choose 2 answers
A . Use declarative registration handler process builder/flow to create, update users and contacts.
B . Authentication provider configuration is required each social sign-on providers; and enable Authentication
providers in
community.
C . For supporting OIDC it is necessary to enable Security Assertion Markup Language (SAML) with Just-in-Time
provisioning (JIT) and OAuth 2.0.
D . Apex coding skills are needed for registration handler to create and update users.
A
Answer: B, D
25
Universal Containers (UC) is using its production org as the identity provider for a new Experience Cloud site and the identity architect is deciding which login experience to use for the site.
Which two-page types are valid login page types for the site?
Choose 2 answers
A . Experience Builder Page
B . lightning Experience Page
C . Login Discovery Page
D . Embedded Login Page
Answer: C, D
26
Northern Trail Outfitters (NTO) utilizes a third-party cloud solution for an employee portal. NTO also owns Salesforce Service Cloud and would like employees to be able to login to Salesforce with their third-party portal credentials for a seamless expenence. The third-party employee portal only supports OAuth.
What should an identity architect recommend to enable single sign-on (SSO) between the portal and
Salesforce?
A . Configure SSO to use the third-party portal as an identity provider.
B . Create a custom external authentication provider.
C . Add the third-party portal as a connected app.
D . Configure Salesforce for Delegated Authentication.
Answer: A
27
Northern Trail Outfitters (NTO) is planning to implement a community for its customers using Salesforce Experience Cloud . Customers are not able to self-register. NTO would like to have customers set their own passwords when provided access to the community.
Which two recommendations should an identity architect make to fulfill this requirement?
Choose 2 answers
A . Add customers as contacts and add them to Experience Cloud site.
B . Enable Welcome emails while configuring the Experience Cloud site.
C . Allow Password reset using the API to update Experience Cloud site membership.
D . Use Login Flows to allow users to reset password in Experience Cloud site.
Answer: C, D
28
An Enterprise is using a Lightweight Directory Access Protocol (LDAP) server as the only point for user authentication with a username/password. Salesforce delegated authentication is configured to integrate Salesforce under single sign-on (SSO).
Mow can end users change their password?
A . Users once logged In, can go to the Change Password screen in Salesforce.
B . Users can click on the 'Forgot your Password' link on the Salesforce.com login page.
C . Users can request the Salesforce Admin to reset their password.
D . Users can change it on the enterprise LDAP authentication portal.
Answer: C
29
Universal Containers (UC) is planning to add Wi-Fi-enabled GPS tracking devices to its shipping containers so that the GPS coordinates data can be sent from the tracking device to its Salesforce production org via a custom API. The GPS devices have no direct user input or output capabilities.
Which OAuth flow should the identity architect recommend to meet the requirement?
A . OAuth 2.0 Asset Token Flow for Securing Connected Devices
B . OAuth 2.0 Username-Password Flow for Special Scenarios
C . OAuth 2.0 Web Server Flow for Web App Integration
D . OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration
Answer: A
30
Northern Trail Outfitters (NTO) has a requirement to ensure all user logins include a single multi-factor authentication (MFA) prompt. Currently, users are allowed the choice to login with a username and password or via single sign-on against NTO's corporate Identity Provider, which includes built-in MFA.
Which configuration will meet this requirement?.
A . Create and assign a permission set to all employees that includes 'MFA for User Interface Logins.'
B . Create a custom login flow that enforces MFA and assign it to a permission set. Then assign the permission set to all employees.
C . Enable 'MFA for User Interface Logins' for your organization from Setup -> Identity Verification.
D . For all employee profiles, set the Session Level Required at Login to High Assurance and add the corporate identity provider to the High Assurance list for the org's Session Security Levels.
Answer: C
31
An identity architect has built a native mobile application and plans to integrate it with a Salesforce Identity solution. The following are the requirements for the solution:
1. Users should not have to login every time they use the app.
2. The app should be able to make calls to the Salesforce REST API.
3. End users should NOT see the OAuth approval page.
How should the identity architect configure the Salesforce connected app to meet the requirements?
A . Enable the API Scope and Offline Access Scope, upload a certificate so JWT Bearer Flow can be used and
then set the connected app access settings to 'Admin Pre-Approved'.
B . Enable the API Scope and Offline Access Scope on the connected app, and then set the connected app to
access settings to 'Admin Pre-Approved'.
C . Enable the Full Access Scope and then set the connected app access settings to 'Admin Pre-Approved'.
D . Enable the API Scope and Offline Access Scope on the connected app, and then set the Connected App
access settings to 'User may self authorize'.
Answer: A
32
Northern Trail Outfitters (NTO) wants to improve its engagement with existing customers to boost customer loyalty. To get a better understanding of its customers, NTO establishes a single customer view including their buying behaviors, channel preferences and purchasing history. All of this information exists but is spread
across different systems and formats.
NTO has decided to use Salesforce as the platform to build a 360 degree view. The company already uses Microsoft Active Directory (AD) to manage its users and company assets.
What should an Identity Architect do to provision, deprovision and authenticate users?
A . Salesforce Identity is not needed since NTO uses Microsoft AD.
B . Salesforce Identity can be included but NTO will be required to build a custom integration with Microsoft AD.
C . Salesforce Identity is included in the Salesforce licenses so it does not need to be considered separately.
D . A Salesforce Identity can be included but NTO will require Identity Connect
Answer: D
33
Universal Container's (UC) identity architect needs to recommend a license type for their new Experience Cloud site that will be used by external partners (delivery providers) for reviewing and updating their accounts, downloading files provided by UC and obtaining scheduled pickup dates from their calendar.
UC is using their Salesforce production org as the identity provider for these users and the expected number of individual users is 2.5 million with 13.5 million unique logins per month.
Which of the following license types should be used to meet the requirement?
A . External Apps License
B . Partner Community License
C . Partner Community Login License
D . Customer Community plus Login License
Answer: D
34
A technology enterprise is setting up an identity solution with an external vendors wellness application for its employees. The user attributes need to be returned to the wellness application in an ID token.
Which authentication mechanism should an identity architect recommend to meet the requirements?
A . OpenID Connect
B . User Agent Flow
C . JWT Bearer Token Flow
D . Web Server Flow
Answer: D
35
A security architect is rolling out a new multi-factor authentication (MFA) mandate, where all employees must go through a secure authentication process before accessing Salesforce. There are multiple Identity Providers (IdP) in place and the architect is considering how the 'Authentication Method Reference' field (AMR) in the Login History can help.
Which two considerations should the architect keep in mind?
Choose 2
A . AMR field shows the authentication methods used at IdP.
B . Both OIDC and Security Assertion Markup Language (SAML) are supported but AMR must be implemented at IdP.
C . High-assurance sessions must be configured under Session Security Level Policies.
D . Dependency on what is supported by OpenID Connect (OIDC) implementation at IdP.
Answer: A, B
36
A global fitness equipment manufacturer is planning to sell fitness tracking devices and has the following requirements:
1) Customer purchases the device.
2) Customer registers the device using their mobile app.
3) A case should automatically be created in Salesforce and associated with the customers account in cases where the device registers issues with tracking.
Which OAuth flow should be used to meet these requirements?.
A . OAuth 2.0 Asset Token Flow
B . OAuth 2.0 Username-Password Flow
C . OAuth 2.0 User-Agent Flow
D . OAuth 2.0 SAML Bearer Assertion Flow
Answer: A
37
The CMO of an advertising company has invited an Identity and Access Management (IAM) specialist to discuss Salesforce out-of-box capabilities for configuring the company*s login and registration experience on Salesforce Experience Cloud.
The CMO is looking to brand the login page with the company's logo, background color, login button color, and dynamic right-frame from an external URL.
Which two solutions should the IAM specialist recommend?
Choose 2 answers
A . Use Experience Builder to build branded Reset and Forgot Password pages.
B . Build custom pages for branding requirements in Experience Cloud.
C . Build custom site pages for reset and forgot password features.
D . Login & Registration pages can be branded in the Community Administration settings.
Answer: A, D
38
Universal Containers (UC) wants to provide single sign-on (SSO) for a business-to-consumer (B2C) application using Salesforce Identity.
Which Salesforce license should UC utilize to implement this use case?
A . Identity Only
B . Salesforce Platform
C . External Identity
D . Partner Community
Answer: C
39
Universal Containers is creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-agent flow. Application users will authenticate using username and password. They should not be forced to approve API access in the mobile app or reauthenticate for 3 months.
Which two connected app options need to be configured to fulfill this use case?
Choose 2 answers
A . Set Permitted Users to 'Admin approved users are pre-authorized'.
B . Set Permitted Users to 'All users may self-authorize'.
C . Set the Session Timeout value to 3 months.
D . Set the Refresh Token Policy to expire refresh token after 3 months.
Answer: B, D
40
Universal Containers (UC) has built a custom time-tracking app for its employee. UC wants to leverage Salesforce Identity to control access to the custom app. At a minimum, which Salesforce license is required to support this requirement?
A . Identity Verification
B . Identity Connect
C . Identity Only
D . External Identity
Answer: C
41
Northern Trail Outfitters wants to implement a partner community. Active community users will need to review and accept the community rules and update key contact information for each community member before their annual partner event.
Which approach will meet this requirement?
A . Create tasks for users who need to update their data or accept the new community rules.
B . Create a custom landing page and email campaign asking all community members to login and verify their data.
C . Create a login flow that conditionally prompts users who have not accepted the new community rules and who have missing or outdated information.
D . Add a banner to the community Home page asking users to update their profile and accept the new community rules.
Answer: C
42
Universal Containers (UC) is using Active Directory as its corporate identity provider and Salesforce as its CRM for customer care agents, who use SAML based sign sign-on to login to Salesforce. The default agent profile does not include the Manage User permission. UC wants to dynamically update the agent role and permission
sets.
Which two mechanisms are used to provision agents with the appropriate permissions?
Choose 2 answers
A . Use Login Flow in User Context to update role and permission sets.
B . Use Login Flow in System Context to update role and permission sets.
C . Use SAML Just-m-Time (JIT) Handler class run as current user to update role and permission sets.
D . Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets.
Answer: B, D
43
Northern Trail Outfitters want to allow its consumer to self-register on it business-to-consumer (B2C) portal that is built on Experience Cloud. The identity architect has recommended to use Person Accounts.
Which three steps need to be configured to enable self-registration using person accounts?
Choose 3 answers
A . Enable access to person and business account record types under Public Access Settings.
B . Contact Salesforce Support to enable business accounts.
C . Under Login and Registration settings, ensure that the default account field is empty.
D . Contact Salesforce Support to enable person accounts.
E . Set organization-wide default sharing for Contact to Public Read Only.
Answer: A, C, D
44
Which tool should be used to track login data, such as the average number of logins, who logged in more than
the average number of times and who logged in during non-business hours?
A . Login Inspector
B . Login History
C . Login Report
D . Login Forensics
Answer: D
45
An organization has a central cloud-based Identity and Access Management (IAM) Service for authentication
and user management, which must be utilized by all applications as follows:
1 - Change of a user status in the central IAM Service triggers provisioning or deprovisioining in the integrated
cloud applications.
2 - Security Assertion Markup Language single sign-on (SSO) is used to facilitate access for users authenticated
at identity provider (Central IAM Service).
Which approach should an IAM architect implement on Salesforce Sales Cloud to meet the requirements?
A . A Configure Salesforce as a SAML Service Provider, and enable SCIM (System for Cross-Domain Identity Management) for provisioning and deprovisioning of users.
B . Configure Salesforce as a SAML service provider, and enable Just-in Time (JIT) provisioning and deprovisioning of users.
C . Configure central IAM Service as an authentication provider and extend registration handler to manage provisioning and deprovisioning of users.
D . Deploy Identity Connect component and set up automated provisioning and deprovisioning of users, as well as SAML-based SSO.
Answer: A
46
Northern Trail Outfitters (NTO) is launching a new sportswear brand on its existing consumer portal built on Salesforce Experience Cloud. As part of the launch, emails with promotional links will be sent to existing customers to log in and claim a discount. The marketing manager would like the portal dynamically branded so that users will be directed to the brand link they clicked on; otherwise, users will view a recognizable NTObranded page.
The campaign is launching quickly, so there is no time to procure any additional licenses. However, the
development team is available to apply any required changes to the portal.
Which approach should the identity architect recommend?
A . Create a full sandbox to replicate the portal site and update the branding accordingly.
B . Implement Experience ID in the code and extend the URLs and endpomts, as required.
C . Use Heroku to build the new brand site and embedded login to reuse identities.
D . Configure an additional community site on the same org that is dedicated for the new brand.
Answer: B
47
A service provider (SP) supports both Security Assertion Markup Language (SAML) and OpenID Connect
(OIDC).
When integrating this SP with Salesforce, which use case is the determining factor when choosing OIDC or SAML?
A . OIDC is more secure than SAML and therefore is the obvious choice.
B . The SP needs to perform API calls back to Salesforce on behalf of the user after the user logs in to the
service provider.
C . If the user has a session on Salesforce, you do not want them to be prompted for a username and password
when they login to the SP.
D . They are equivalent protocols and there is no real reason to choose one over the other.
Answer: B
48
A consumer products company uses Salesforce to maintain consumer information, including orders. The company implemented a portal solution using Salesforce Experience Cloud for its consumers where the consumers can log in using their credentials. The company is considering allowing users to login with their
Facebook or Linkedln credentials.
Once enabled, what role will Salesforce play?
A . Facebook and Linkedln will be the SPs.
B . Salesforce will be the service provider (SP).
C . Salesforce will be the identity provider (IdP).
D . Facebook and Linkedln will act as the IdPs and SPs.
Answer: B
49
Northern Trail Outfitters recently acquired a company. Each company will retain its Identity Provider (IdP). Both companies rely extensively on Salesforce processes that send emails to users to take specific actions in Salesforce.
How should the combined companys' employees collaborate in a single Salesforce org, yet authenticate to the
appropriate IdP?
A . Configure unique MyDomains for each company and have generated links use the appropriate MyDomam
in the URL.
B . Have generated links append a querystnng parameter indicating the IdP. The login service will redirect to
the appropriate IdP.
C . Have generated links be prefixed with the appropriate IdP URL to invoke an IdP-initiated Security Assertion
Markup Language flow when clicked.
D . Enable each IdP as a login option in the MyDomain Authentication Service settings. Users will then click on
the appropriate IdP button.
Answer: D
50
Universal Containers (UC) operates in Asia, Europe and North America regions. There is one Salesforce org for each region. UC is implementing Customer 360 in Salesforce and has procured External Identity and Customer Community licenses in all orgs.
Customers of UC use Community to track orders and create inquiries. Customers also tend to move across regions frequently.
What should an identity architect recommend to optimize license usage and reduce maintenance overhead?
A . Merge three orgs into one instance of Salesforce. This will no longer require maintaining three separate
copies of the same customer.
B . Delete contact/ account records and deactivate user if user moves from a specific region; Sync will no
longer be required.
C . Contacts are required since Community access needs to be enabled. Maintenance is a necessary overhead
that must be handled via data integration.
D . Enable Contactless User in all orgs and downgrade users from Experience Cloud license to External Identity
license once users have moved out of that region.
Answer: C
51
Universal Containers would like its customers to register and log in to a portal built on Salesforce Experience Cloud. Customers should be able to use their Facebook or Linkedln credentials for ease of use.
Which three steps should an identity architect take to implement social sign-on?
Choose 3 answers
A . Register both Facebook and Linkedln as connected apps.
B . Create authentication providers for both Facebook and Linkedln.
C . Check 'Facebook' and 'Linkedln' under Login Page Setup.
D . Enable 'Federated Single Sign-On Using SAML'.
E . Update the default registration handlers to create and update users.
Answer: B, C, E
52
Northern Trail Outfitters (NTO) uses Salesforce Experience Cloud sites (previously known as Customer Community) to provide a digital portal where customers can login using their Google account.
NTO would like to automatically create a case record for first time users logging into Salesforce Experience Cloud.
What should an Identity architect do to fulfill the requirement?
A . Configure an authentication provider for Social Login using Google and a custom registration handler.
B . Implement a Just-in-Time handler class that has logic to create cases upon first login.
C . Create an authentication provider for Social Login using Google and leverage standard registration handler.
D . Implement a login flow with a record create component for Case.
Answer: D
53
A Salesforce customer is implementing Sales Cloud and a custom pricing application for its call center agents. An Enterprise single sign-on solution is used to authenticate and sign-in users to all applications. The customer has the following requirements:
1. The development team has decided to use a Canvas app to expose the pricing application to agents.
2. Agents should be able to access the Canvas app without needing to log in to the pricing application.
Which two options should the identity architect consider to provide support for the Canvas app to initiate login for users?
Choose 2 answers
A . Select 'Enable as a Canvas Personal App' in the connected app settings.
B . Enable OAuth settings in the connected app with required OAuth scopes for the pricing application.
C . Configure the Canvas app as a connected app and set Admin-approved users as pre-authorized.
D . Enable SAML in the connected app and Security Assertion Markup Language (SAML) Initiation Method as Service Provider Initiated.
Answer: C, D
54
A pharmaceutical company has an on-premise application (see illustration) that it wants to integrate with
Salesforce. The IT director wants to ensure that requests must include a certificate with a trusted certificate chain to
access the company's on-premise application endpoint.
What should an Identity architect do to meet this requirement?
A . Use open SSL to generate a Self-signed Certificate and upload it to the on-premise app.
B . Configure the company firewall to allow traffic from Salesforce IP ranges.
C . Generate a certificate authority-signed certificate in Salesforce and uploading it to the on-premise
application Truststore.
D . Upload a third-party certificate from Salesforce into the on-premise server.
Answer: B
55
Universal Containers (UC) is rolling out its new Customer Identity and Access Management Solution built on top of its existing Salesforce instance. UC wants to allow customers to login using Facebook, Google, and other social sign-on providers.
How should this functionality be enabled for UC, assuming ail social sign-on providers support OpenID
Connect?
A . Configure an authentication provider and a registration handler for each social sign-on provider.
B . Configure a single sign-on setting and a registration handler for each social sign-on provider.
C . Configure an authentication provider and a Just-In-Time (JIT) handler for each social sign-on provider.
D . Configure a single sign-on setting and a JIT handler for each social sign-on provider.
Answer: A
56
Universal Containers (UC) uses Salesforce as a CRM and identity provider (IdP) for their Sales Team to seamlessly login to intemaJ portals. The IT team at UC is now evaluating Salesforce to act as an IdP for its remaining employees.
Which Salesforce license is required to fulfill this requirement?
A . External Identity
B . Identity Verification
C . Identity Connect
D . Identity Only
Answer: D
57
How should an identity architect automate provisioning and deprovisioning of users into Salesforce from an external system?
A . Call SOAP API upsertQ on user object.
B . Use Security Assertion Markup Language Just-in-Time (SAML JIT) on incoming SAML assertions.
C . Run registration handler on incoming OAuth responses.
D . Call OpenID Connect (OIDC)-userinfo endpoint with a valid access token.
Answer: C
58
Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is important for to give its customers the ability to login with their Facebook and Twitter
credentials.
Which two actions should an identity architect recommend to meet these requirements?
Choose 2 answers
A . Create a custom external authentication provider for Facebook.
B . Configure a predefined authentication provider for Facebook.
C . Create a custom external authentication provider for Twitter.
D . Configure a predefined authentication provider for Twitter.
Answer: B, D
59
A third-party app provider would like to have users provisioned via a service endpoint before users access
their app from Salesforce.
What should an identity architect recommend to configure the requirement with limited changes to the thirdparty app?
A . Use a connected app with user provisioning flow.
B . Create Canvas app in Salesforce for third-party app to provision users.
C . Redirect users to the third-party app for registration.
D . Use Salesforce identity with Security Assertion Markup Language (SAML) for provisioning users.
Answer: A
60
Northern Trail Outfitters (NTO) is planning to roll out a partner portal for its distributors using Experience Cloud. NTO would like to use an external identity provider (idP) and for partners to register for access to the portal. Each partner should be allowed to register only once to avoid duplicate accounts with Salesforce.
What should a identity architect recommend to create partners?
A . On successful creation of Partners using Self Registration page in Experience Cloud, create identity in Ping.
B . Create a custom page Experience Cloud to self register partner with Experience Cloud and Ping identity
store.
C . Create a custom web page in the Portal and create users in the IdP and Experience Cloud using published
APIs.
D . Allow partners to register through the IdP and create partner users in Salesforce through an API.
Answer: B
61
An Identity and Access Management (IAM) Architect is recommending Identity Connect to integrate Microsoft
Active Directory (AD) with Salesforce for user provisioning, deprovisioning and single sign-on (SSO).
Which feature of Identity Connect is applicable for this scenano?
A . When Identity Connect is in place, if a user is deprovisioned in an on-premise AD, the user's Salesforce
session Is revoked Immediately.
B . If the number of provisioned users exceeds Salesforce licence allowances, identity Connect will start
disabling the existing
Salesforce users in First-in, First-out (FIFO) fashion.
C . Identity Connect can be deployed as a managed package on salesforce org, leveraging High Availability of
Salesforce Platform out-of-the-box.
D . When configured, Identity Connect acts as an identity provider to both Active Directory and Salesforce,
thus providing SSO as a default feature.
Answer: A
62
Users logging into Salesforce are frequently prompted to verify their identity.
The identity architect is required to provide recommendations so that frequency of prompt verification can be
reduced.
What should the identity architect recommend to meet the requirement?
A . Implement 2FA authentication for the Salesforce org.
B . Set trusted IP ranges for the organization.
C . Implement an single sign-on for Salesforce using an external identity provider.
D . Implement multi-factor authentication for the Salesforce org.
Answer: B
63
A financial services company uses Salesforce and has a compliance requirement to track information about devices from which users log in. Also, a Salesforce Security Administrator needs to have the ability to revoke the device from which users log in.
What should be used to fulfill this requirement?
A . Use multi-factor authentication (MFA) to meet the compliance requirement to track device information.
B . Use the Activations feature to meet the compliance requirement to track device information.
C . Use the Login History object to track information about devices from which users log in.
D . Use Login Flows to capture device from which users log in and store device and user information in a
custom object.
Answer: B
64
Northern Trail Outfitters (NTO) wants its customers to use phone numbers to log in to their new digital portal, which was designed and built using Salesforce Experience Cloud. In order to access the portal, the user will need to do the following:
1. Enter a phone number and/or email address
2. Enter a verification code that is to be sent via email or text.
What is the recommended approach to fulfill this requirement?
A . Create a Login Discovery page and provide a Login Discovery Handler Apex class.
B . Create a custom login page with an Apex controller. The controller has logic to send and verify the identity.
C . Create an Authentication provider and implement a self-registration handler class.
D . Create a custom login flow that uses an Apex controller to verify the phone numbers with the company's
verification service.
Answer: A
65
A multinational company is looking to rollout Salesforce globally. The company has a Microsoft Active
Directory Federation Services (ADFS) implementation for the Americas, Europe and APAC. The company plans
to have a single org and they would like to have all of its users access Salesforce using the ADFS . The company
would like to limit its investments and prefer not to procure additional applications to satisfy the
requirements.
What is recommended to ensure these requirements are met ?
A . Use connected apps for each ADFS implementation and implement Salesforce site to authenticate users
across the ADFS system applicable to their geo.
B . Implement Identity Connect to provide single sign-on to Salesforce and federated across multiple ADFS
systems.
C . Add a central identity system that federates between the ADFS systems and integrate with Salesforce for
single sign-on.
D . Configure Each ADFS system under single sign-on settings and allow users to choose the system to
authenticate during sign on to Salesforce
B
66
Universal Containers is implementing Salesforce Identity to broker authentication from its enterprise single
sign-on (SSO) solution through Salesforce to third party applications using SAML.
What rote does Salesforce Identity play in its relationship with the enterprise SSO system?
A . Identity Provider (IdP)
B . Resource Server
C . Service Provider (SP)
D . Client Application
C
67
Uwversal Containers (UC) is building a custom employee hut) application on Amazon Web Services (AWS) and would like to store their users' credentials there. Users will also need access to Salesforce for internal operations. UC has tasked an identity architect with evaluating Afferent solutions for authentication and
authorization between AWS and Salesforce.
How should an identity architect configure AWS to authenticate and authorize Salesforce users?
A . Configure the custom employee app as a connected app.
B . Configure AWS as an OpenID Connect Provider.
C . Create a custom external authentication provider.
D . Develop a custom Auth server in AWS.
B
68
An Identity architect works for a multinational, multi-brand organization. As they work with the organization to understand their Customer Identity and Access Management requirements, the identity architect learns that the brand experience is different for each of the customer's sub-brands and each of these branded
experiences must be carried through the login experience depending on which sub-brand the user is logging
into.
Which solution should the architect recommend to support scalability and reduce maintenance costs, if the
organization has more than 150 sub-brands?
A . Assign each sub-brand a unique Experience ID and use the Experience ID to dynamically brand the login
experience.
B . Use Audiences to customize the login experience for each sub-brand and pass an audience ID to the
community during the OAuth and Security Assertion Markup Language (SAML) flows.
C . Create a community subdomain for each sub-brand and customize the look and feel of the Login page for
each community subdomain to match the brand.
D . Create a separate Salesforce org for each sub-brand so that each sub-brand has complete control over the
user experience.
A
69
A farming enterprise offers smart farming technology to its farmer customers, which includes a variety of sensors for livestock tracking, pest monitoring, climate monitoring etc. They plan to store all the data in Salesforce. They would also like to ensure timely maintenance of the Installed sensors. They have engaged a
salesforce Architect to propose an appropriate way to generate sensor Information In Salesforce.
Which OAuth flow should the architect recommend?
A . OAuth 2.0 Asset Token Flow
B . OAuth 2.0 Device Authentication Row
C . OAuth 2.0 JWT Bearer Token Flow
D . OAuth 2.0 SAML Bearer Assertion Flow
Answer: A
70
A technology enterprise is planning to implement single sign-on login for users. When users log in to the Salesforce User object custom field, data should be populated for new and existing users.
Which two steps should an identity architect recommend?
Choose 2 answers
A . Implement Auth.SamlJitHandler Interface.
B . Create and update methods.
C . Implement RegistrationHandler Interface.
D . Implement SesslonManagement Class.
Answer: A, B
71
A company with 15,000 employees is using Salesforce and would like to take the necessary steps to highlight or curb fraudulent activity. Which tool should be used to track login data, such as the average number of logins, who logged in more than the average number of times and who logged in during non-business hours?
A . Login Forensics
B . Login Report
C . Login Inspector
D . Login History
Answer: A
72
Northern Trail Outfitters would like to automatically create new employee users in Salesforce with an appropriate profile that maps to its Active Directory Department.
How should an identity architect implement this requirement?
A . Use the createUser method in the Just-in-Time (JIT) provisioning registration handler to assign the
appropriate profile.
B . Use the updateUser method in the Just-in-Time (JIT) provisioning registration handler to assign the
appropriate profile.
C . Use a login flow to collect Security Assertion Markup Language attributes and assign the appropriate profile
during Just-In-Time
(JIT) provisioning.
D . Make a callout during the login flow to query department from Active Directory to assign the appropriate
profile.
Answer: B
73
Northern Trail Outfitters is implementing a busmess-to-business (B2B) collaboration site using Salesforce Experience Cloud. The partners will authenticate with an existing identity provider and the solution will utilize Security Assertion Markup Language (SAML) to provide single sign-on to Salesforce. Delegated administration
will be used in the Expenence Cloud site to allow the partners to administer their users' access.
How should a partner identity be provisioned in Salesforce for this solution?
A . Create only a contact.
B . Create a contactless user.
C . Create a user and a related contact.
D . Create a person account.
Answer: C
74
Northern Trail Outfitters (NTO) has a number of employees who do NOT need access Salesforce objects. Trie employees should sign in to a custom Benefits web app using their Salesforce credentials.
Which license should the identity architect recommend to fulfill this requirement?
A . Identity Only License
B . External Identity License
C . Identity Verification Credits Add-on License
D . Identity Connect License
Answer: A
75
Northern Trail Outfitters (NTO) is planning to build a new customer service portal and wants to use passwordless login, allowing customers to login with a one-time passcode sent to them via email or SMS.
How should the quantity of required Identity Verification Credits be estimated?
A . Each community comes with 10,000 Identity Verification Credits per month and only customers with more
than 10,000 logins a month should estimate additional SMS verifications needed.
B . Identity Verification Credits are consumed with each SMS (text message) sent and should be estimated
based on the number of login verification challenges for SMS verification users.
C . Identity Verification Credits are consumed with each verification sent and should be estimated based on
the number of logins
that will incur a verification challenge.
D . Identity Verification Credits are a direct add-on license based on the number of existing member-based or
login-based Community licenses.
Answer: B
76
A global fitness equipment manufacturer uses Salesforce to manage its sales cycle. The manufacturer has a custom order fulfillment app that needs to request order data from Salesforce. The order fulfillment app needs to integrate with the Salesforce API using OAuth 2.0 protocol.
What should an identity architect use to fulfill this requirement?
A . Canvas App Integration
B . OAuth Tokens
C . Authentication Providers
D . Connected App and OAuth scopes
Answer: D
77
Which two things should be done to ensure end users can only use single sign-on (SSO) to login in to Salesforce?
Choose 2 answers
A . Enable My Domain and select 'Prevent login from https://login.salesforce.com'.
B . Request Salesforce Support to enable delegated authentication.
C . Once SSO is enabled, users are only able to login using Salesforce credentials.
D . Assign user 'is Single Sign-on Enabled' permission via profile or permission set.
Answer: A, D
78
An identity architect has been asked to recommend a solution that allows administrators to configure personalized alert messages to users before they land on the Experience Cloud site (formerly known as Community) homepage.
What is recommended to fulfill this requirement with the least amount of customization?
A . Customize the registration handler Apex class to create a routing logic navigating to different home pages
based on the user profile.
B . Use Login Flows to add a screen that shows personalized alerts.
C . Build a Lightning web Component (LWC) for a homepage that shows custom alerts.
D . Create custom metadata that stores user alerts and use a LWC to display alerts
Answer: B
79
Northern Trail Outfitters (NTO) uses a Security Assertion Markup Language (SAML)-based Identity Provider (idP) to authenticate employees to all systems. The IdP authenticates users against a Lightweight Directory.
Access Protocol (LDAP) directory and has access to user information. NTO wants to minimize Salesforce license usage since only a small percentage of users need Salesforce.
What is recommended to ensure new employees have immediate access to Salesforce using their current IdP?
A . Install Salesforce Identity Connect to automatically provision new users in Salesforce the first time they
attempt to login.
B . Build an integration that queries LDAP periodically and creates new active users in Salesforce.
C . Configure Just-in-Time provisioning using SAML attributes to create new Salesforce users as necessary
when a new user attempts to login to Salesforce.
D . Build an integration that queries LDAP and creates new inactive users in Salesforce and use a login flow to
activate the user at
first login.
Answer: C
80
Northern Trail Outfitters (NTO) has an existing custom business-to-consumer (B2C) website that does NOT support single sign-on standards, such as Security Assertion Markup Language (SAMi) or OAuth. NTO wants to use Salesforce Identity to register and authenticate new customers on the website.
Which two Salesforce features should an identity architect use in order to provide username/password authentication for the website?
Choose 2 answers
A . Identity Connect
B . Delegated Authentication
C . Connected Apps
D . Embedded Login
Answer: B, D
81
Universal Containers (UC) rolling out a new Customer Identity and Access Management Solution will be built on top of their existing Salesforce instance.
Several service providers have been setup and integrated with Salesforce using OpenlD Connect to allow for a
seamless single sign-on experience. UC has a requirement to limit user access to only a subset of service providers per customer type.
Which two steps should be done on the platform to satisfy the requirement?
Choose 2 answers
A . Manage which connected apps a user has access to by assigning authentication providers to the users
profile.
B . Assign the connected app to the customer community, and enable the users profile in the Community
settings.
C . Use Profiles and Permission Sets to assign user access to Admin Pre-Approved Connected Apps.
D . Set each of the Connected App access settings to Admin Pre-Approved.
Answer: C, D
82
An identity architect wants to secure Salesforce APIs using Security Assertion Markup Language (SAML). For security purposes, administrators will need to authorize the applications that will be consuming the APIs.
Which Salesforce OAuth authorization flow should be used?
A . OAuth 2-0 SAML Bearer Assertion Flow
B . OAuth 2.0 JWT Bearer Flow
C . SAML Assertion Flow
D . OAuth 2.0 User-Agent Flow
C
83
A company's external application is protected by Salesforce through OAuth. The identity architect for the project needs to limit the level of access to the data of the protected resource in a flexible way.
What should be done to improve security?
A . Select 'Admin approved users are pre-authonzed' and assign specific profiles.
B . Create custom scopes and assign to the connected app.
C . Define a permission set that grants access to the app and assign to authorized users.
D . Leverage external objects and data classification policies.
B
84
Universal Containers is budding a web application that will connect with the Salesforce API using JWT OAuth
Flow.
Which two settings need to be configured in the connect app to support this requirement?
Choose 2 answers
A . The Use Digital Signature option in the connected app.
B . The 'web' OAuth scope in the connected app,
C . The 'api' OAuth scope in the connected app.
D . The 'edair_api' OAuth scope m the connected app
Answer: A, C
85
A large consumer company is planning to create a community and will requ.re login through the customers social identity. The following requirements must be met:
1. The customer should be able to login with any of their social identities, however salesforce should only have
one user per customer.
2. Once the customer has been identified with a social identity, they should not be required to authonze
Salesforce.
3. The customers personal details from the social sign on need to be captured when the customer logs into
Salesforce using their social Identity.
3. If the customer modifies their personal details in the social site, the changes should be updated in
Salesforce.
Which two options allow the Identity Architect to fulfill the requirements?
Choose 2 answers
A . Use Login Flows to call an authentication registration handler to provision the user before logging the user
into the community.
B . Use authentication providers for social sign-on and use the custom registration handler to insert or update
personal details.
C . Redirect the user to a custom page that allows the user to select an existing social identity for login.
D . Use the custom registration handler to link social identities to Salesforce identities.
Answer: B, D
86
Universal Containers wants to allow its customers to log in to its Experience Cloud via a third party authentication provider that supports only the OAuth protocol.
What should an identity architect do to fulfill this requirement?
A . Contact Salesforce Support and enable delegate single sign-on.
B . Create a custom external authentication provider.
C . Use certificate-based authentication.
D . Configure OpenID Connect authentication provider.
Answer: B
87
Universal Containers wants to allow its customers to log in to its Experience Cloud via a third party authentication provider that supports only the OAuth protocol.
What should an identity architect do to fulfill this requirement?
A . Contact Salesforce Support and enable delegate single sign-on.
B . Create a custom external authentication provider.
C . Use certificate-based authentication.
D . Configure OpenID Connect authentication provider.
Answer: B
88
Universal Containers is implementing a new Experience Cloud site and the identity architect wants to use dynamic branding features as of the login process.
Which two options should the identity architect recommend to support dynamic branding for the site?
Choose 2 answers
A . To use dynamic branding, the community must be built with the Visuaiforce + Salesforce Tabs template.
B . To use dynamic branding, the community must be built with the Customer Account Portal template.
C . An experience ID (expid) or placeholder parameter must be used in the URL to represent the brand.
D . An external content management system (CMS) must be used for dynamic branding on Experience Cloud
sites.
Answer: B, C
89
A leading fitness tracker company is getting ready to launch a customer community. The company wants its customers to login to the community and connect their fitness device to their profile. Customers should be able to obtain exercise details and fitness recommendation in the community.
Which should be used to satisfy this requirement?
A . Named Credentials
B . Login Flows
C . OAuth Device Flow
D . Single Sign-On Settings
Answer: C
90
Northern Trail Outfitters (NTO) is setting up Salesforce to authenticate users with an external identity provider.
The NTO Salesforce Administrator is having trouble getting things setup.
What should an identity architect use to show which part of the login assertion is fading?
A . SAML Metadata file importer
B . Identity Provider Metadata download
C . Connected App Manager
D . Security Assertion Markup Language Validator
Answer: D
91
Universal Containers (UC) currently uses Salesforce Sales Cloud and an external billing application. Both Salesforce and the billing application are accessed several times a day to manage customers. UC would like to configure single sign-on and leverage Salesforce as the identity provider. Additionally, UC would like the billing
application to be accessible from Salesforce. A redirect is acceptable.
Which two Salesforce tools should an identity architect recommend to satisfy the requirements?
Choose 2 answers
A . salesforce Canvas
B . Identity Connect
C . Connected Apps
D . App Launcher
Answer: A, D
92
Universal Container's (UC) is using Salesforce Experience Cloud site for its container wholesale business. The
identity architect wants to an authentication provider for the new site.
Which two options should be utilized in creating an authentication provider?
Choose 2 answers
A . A custom registration handier can be set.
B . A custom error URL can be set.
C . The default login user can be set.
D . The default authentication provider certificate can be set.
Answer: A, B
93
Northern Trail Outfitters (NTO) leverages Microsoft Active Directory (AD) for management of employee usernames, passwords, permissions, and asset access. NTO also owns a third-party single sign-on (SSO) solution. The third-party party SSO solution is used for all corporate applications, including Salesforce.
NTO has asked an architect to explore Salesforce Identity Connect for automatic provisioning and deprovisiorung of users in Salesforce.
What role does identity Connect play in the outlined requirements?
A . Service Provider
B . Single Sign-On
C . Identity Provider
D . User Management
Answer: D
94
An identity architect is implementing a mobile-first Consumer Identity Access Management (CIAM) for external users. User authentication is the only requirement. The users email or mobile phone number should be supported as a username.
.
Which two licenses are needed to meet this requirement?
Choose 2 answers.
A . External Identity Licenses
B . Identity Connect Licenses
C . Email Verification Credits
D . SMS verification Credits
Answer: A, D
95
The executive sponsor for an organization has asked if Salesforce supports the ability to embed a login widget into its service providers in order to create a more seamless user experience.
What should be used and considered before recommending it as a solution on the Salesforce Platform?
A . OpenID Connect Web Server Flow. Determine if the service provider is secure enough to store the client
secret on.
B . Embedded Login. Identify what level of UI customization will be required to make it match the service
providers look and feel.
C . Salesforce REST apis. Ensure that Secure Sockets Layer (SSL) connection for the integration is used.
D . Embedded Login. Consider whether or not it relies on third party cookies which can cause browser
compatibility issues.
Answer: D
96
A global company has built an external application that uses data from its Salesforce org via an OAuth 2.0 authorization flow. Upon logout, the existing Salesforce OAuth token must be invalidated.
Which action will accomplish this?
A . Use a HTTP POST to request the refresh token for the current user.
B . Use a HTTP POST to the System for Cross-domain Identity Management (SCIM) endpoint, including the
current OAuth token.
C . Use a HTTP POST to make a call to the revoke token endpoint.
D . Enable Single Logout with a secure logout URL.
Answer: C
97
A global company's Salesforce Identity Architect is reviewing its Salesforce production org login history and is seeing some intermittent Security Assertion Markup Language (SAML SSO) 'Replay Detected and Assertion Invalid' login errors.
Which two issues would cause these errors?
Choose 2 answers
A . The subject element is missing from the assertion sent to salesforce.
B . The certificate loaded into SSO configuration does not match the certificate used by the IdP.
C . The current time setting of the company's identity provider (IdP) and Salesforce platform is out of sync by
more than eight minutes.
D . The assertion sent to 5alesforce contains an assertion ID previously used
Answer: A, D
98
Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is important for NTO to give its customers the ability to login with their Amazon credentials.
What should an identity architect recommend to meet these requirements?
A . Configure a predefined authentication provider for Amazon.
B . Create a custom external authentication provider for Amazon.
C . Configure an OpenID Connect Authentication Provider for Amazon.
D . Configure Amazon as a connected app.
Answer: C
99
A web service is developed that allows secure access to customer order status on the Salesforce Platform, The service connects to Salesforce through a connected app with the web server flow. The following are the required actions for the authorization flow:
1. User Authenticates and Authorizes Access
2. Request an Access Token
3. Salesforce Grants an Access Token
4. Request an Authorization Code
5. Salesforce Grants Authorization Code
What is the correct sequence for the authorization flow?
A . 1, 4, 5, 2, 3
B . 4, 1, 5, 2, 3
C . 2, 1, 3, 4, 5
D . 4,5,2, 3, 1
Answer: D
100
Universal Containers (UC) has decided to replace the homegrown customer portal with Salesforce Experience Cloud. UC will continue to use its third-party single sign-on (SSO) solution that stores all of its customer and partner credentials.
The first time a customer logs in to the Experience Cloud site through SSO, a user record needs to be created
automatically.
Which solution should an identity architect recommend in order to automatically provision users in Salesforce
upon login?
A . Just-in-Time (JIT) provisioning
A . Custom middleware and web services
B . Custom login flow and Apex handler
D . Third-party AppExchange solution
A
101
Universal Containers is creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-agent flow (this flow uses the OAuth 2.0 implicit grant type).
Which three OAuth concepts apply to this flow?
Choose 3 answers
A . Client ID
B . Refresh Token
C . Authorization Code
D . Verification Code
E . Scopes
Answer: A, B, E
102
Northern Trail Outfitters (NTO) uses the Customer 360 Platform implemented on Salesforce Experience Cloud. The development team in charge has learned of a contactless user feature, which can reduce the overhead of managing customers and partners by creating users without contact information.
What is the potential impact to the architecture if NTO decides to implement this feature?
A . Custom registration handler is needed to correctly assign External Identity or Community license for the
newly registered contactless user.
B . If contactless user is upgraded to Community license, the contact record is automatically created and linked
to the user record, but not associated with an Account.
C . Contactless user feature is available only with the External Identity license, which can restrict the
Experience Cloud functionality available to the user.
D . Passwordless authentication can not be supported because the mobile phone receiving one-time password
(OTP) needs to match the number on the contact record.
C
103
An Identity and Access Management (IAM) architect is tasked with unifying multiple B2C Commerce sites and an Experience Cloud community with a single identity. The solution needs to support more than 1,000 logins per minute.
What should the IAM do to fulfill this requirement?
A . Configure both the community and the commerce sites as OAuth2 RPs (relying party) with an external
identity provider.
B . Configure community as a Security Assertion Markup Language (SAML) identity provider and enable Just-inTime Provisioning to B2C Commerce.
C . Create a default account for capturing all ecommerce contacts registered on the community because
personAccount is not supported for this case.
D . Confirm performance considerations with Salesforce Customer Support due to high peaks
Answer: D
104
Universal Containers is using OpenID Connect to enable a connection from their new mobile app to its production Salesforce org.
What should be done to enable the retrieval of the access token status for the OpenID Connect connection?
A . Query using OpenID Connect discovery endpoint.
B . A Leverage OpenID Connect Token Introspection.
C . Create a custom OAuth scope.
D . Enable cross-origin resource sharing (CORS) for the /services/oauth2/token endpoint.
Answer: B
105
A division of a Northern Trail Outfitters (NTO) purchased Salesforce. NTO uses a third party identity provider (IdP) to validate user credentials against Its corporate Lightweight Directory Access Protocol (LDAP) directory.
NTO wants to help employees remember as passwords as possible.
What should an identity architect recommend?
A . Setup Salesforce as a Service Provider to the existing IdP.
B . Setup Salesforce as an IdP to authenticate against the LDAP directory.
C . Use Salesforce connect to synchronize LDAP passwords to Salesforce.
D . Setup Salesforce as an Authentication Provider to the existing IdP.
Answer: A
106
Universal Containers (UC) uses Salesforce for its customer service agents. UC has a proprietary system for order tracking which supports Security Assertion Markup Language (SAML) based single sign-on. The VP of customer service wants to ensure only active Salesforce users should be able to access the order tracking
system which is only visible within Salesforce.
What should be done to fulfill the requirement?
Choose 2 answers
A . Setup Salesforce as an identity provider (IdP) for order Tracking.
B . Set up the Corporate Identity store as an identity provider (IdP) for Order Tracking,
C . Customize Order Tracking to initiate a REST call to validate users in Salesforce after login.
D . Setup Order Tracking as a Canvas app in Salesforce to POST IdP initiated SAML assertion.
Answer: A, B
107
Outfitters (NTO) is using Experience Cloud as an Identity for its application on Heroku. The application on Heroku should be able to handle two brands, Northern Trail Shoes and Northern Trail Shirts.
A user should select either of the two brands in Heroku before logging into the community. The app then performs Authorization using OAuth2.0 with the Salesforce Experience Cloud site.
NTO wants to make sure it renders login page images dynamically based on the user's brand preference selected in Heroku before Authorization.
what should an identity architect do to fulfill the above requirements?
A . For each brand create different communities and redirect users to the appropriate community using a
custom Login controller written in Apex.
B . Create multiple login screens using Experience Builder and use Login Flows at runtime to route to different
login screens.
C . Authorize third-party service by sending authorization requests to the communityurl/services/oauth2/authorize/cookie_value.
D . Authorize third-party service by sending authorization requests to the communityurl/services/oauth2/authonze/expid_value.
D
108
Universal Containers has multiple Salesforce instances where users receive emails from different instances. Users should be logged into the correct Salesforce instance authenticated by their IdP when clicking on an email link to a Salesforce record.
What should be enabled in Salesforce as a prerequisite?
A . My Domain
B . External Identity
C . Identity Provider
D . Multi-Factor Authentication
A
109
Universal Containers uses Salesforce as an identity provider and Concur as the Employee Expense management system. The HR director wants to ensure Concur accounts for employees are created only after the appropriate approval in the Salesforce org.
Which three steps should the identity architect use to implement this requirement?
Choose 3 answers
A . Create an approval process for a custom object associated with the provisioning flow.
B . Create a connected app for Concur in Salesforce.
C . Enable User Provisioning for the connected app.
D . Create an approval process for user object associated with the provisioning flow.
E . Create an approval process for UserProvisionlngRequest object associated with the provisioning flow.
Answer: B, C, E
110
A client is planning to rollout multi-factor authentication (MFA) to its internal employees and wants to understand which authentication and verification methods meet the Salesforce criteria for secure
authentication.
Which three functions meet the Salesforce criteria for secure mfa?
Choose 2 answers
A . username and password + SMS passcode
B . Username and password + secunty key
C . Third-party single sign-on with Mobile Authenticator app
D . Certificate-based Authentication
Answer: B, C
111
Universal Containers (UC) is considering a Customer 360 initiative to gain a single source of the truth for its customer data across disparate systems and services. UC wants to understand the primary benefits of Customer 360 Identity and how it contributes ato successful Customer 360 Truth project. What are two are key benefits of Customer 360 Identity as it relates to Customer 360?
Choose 2 answers
A . Customer 360 Identity automatically integrates with Customer 360 Data Manager and Customer 360 Audiences to seamlessly populate all user data.
B . Customer 360 Identity enables an organization to build a single login for each of its customers, giving the organization an understanding of the user's login activity across all its digital properties and applications.
C . Customer 360 Identity supports multiple brands so you can deliver centralized identity services and correlation of user activity,
even if it spans multiple corporate brands and user experiences.
D . Customer 360 Identity not only provides a unified sign up and sign in experience, but also tracks anonymous user activity prior to signing up so organizations can understand user activity before and after the users identify themselves
Answer: B, C
112
A manufacturer wants to provide registration for an Internet of Things (IoT) device with limited display input or capabilities.
Which Salesforce OAuth authorization flow should be used?
A . OAuth 2.0 JWT Bearer How
B . OAuth 2.0 Device Flow
C . OAuth 2.0 User-Agent Flow
D . OAuth 2.0 Asset Token Flow
Answer: B
113
Universal Containers (UC) is setting up delegated authentication to allow employees to log in using their corporate credentials. UC's security team is concerned about the risks of exposing the corporate login service on the internet and has asked that a reliable trust mechanism be put in place between the login service and Salesforce.
What mechanism should an Architect put in place to enable a trusted connection between the login service
and Salesforce?
A . Require the use of Salesforce security tokens on passwords.
B . Enforce mutual authentication between systems using SSL.
C . Include Client Id and Client Secret in the login header callout.
D . Set up a proxy service for the login service in the DMZ.
Answer: A
114
Universal Containers wants to implement Single Sign-on for a Salesforce org using an external Identity Provider and corporate identity store.
What type of authentication flow is required to support deep linking'
A . Web Server OAuth SSO flow
B . Service-Provider-Initiated SSO
C . Identity-Provider-initiated SSO
D . StartURL on Identity Provider
Answer: B
115
Which two considerations should be made when implementing Delegated Authentication?
Choose 2 answers
A . The authentication web service can include custom attributes.
B . It can be used to authenticate API clients and mobile apps.
C . It requires trusted IP ranges at the User Profile level.
D . Salesforce servers receive but do not validate a user's credentials.
E . Just-in-time Provisioning can be configured for new users.
Answer: B, E
116
Universal Containers (UC) has implemented SAML-based Single Sign-On to provide seamless access to its Salesforce Orgs, financial system, and CPQ system. Below is the SSO implementation landscape.
What role combination is represented by the systems in this scenario''
A . Financial System and CPQ System are the only Service Providers.
B . Salesforce Org1 and Salesforce Org2 are the only Service Providers.
C . Salesforce Org1 and Salesforce Org2 are acting as Identity Providers.
D . Salesforce Org1 and PingFederate are acting as Identity Providers.
Answer: D
117
Universal Containers (UC) would like to enable self-registration for their Salesforce Partner Community Users. UC wants to capture some custom data elements from the partner user, and based on these data elements,
wants to assign the appropriate Profile and Account values.
Which two actions should the Architect recommend to UC1
Choose 2 answers
A . Configure Registration for Communities to use a custom Visualforce Page.
B . Modify the SelfRegistration trigger to assign Profile and Account.
C . Modify the CommunitiesSelfRegController to assign the Profile and Account.
D . Configure Registration for Communities to use a custom Apex Controller.
Answer: A, C
118
Universal Containers built a custom mobile app for their field reps to create orders in Salesforce. OAuth is used for authenticating mobile users. The app is built in such a way that when a user session expires after Initial login, a new access token is obtained automatically without forcing the user to log in again.
While that improved the field reps' productivity, UC realized that they need a 'logout' feature.
What should the logout function perform in this scenario, where user sessions are refreshed automatically?
A . Invoke the revocation URL and pass the refresh token.
B . Clear out the client Id to stop auto session refresh.
C . Invoke the revocation URL and pass the access token.
D . Clear out all the tokens to stop auto session refresh.
Answer: A
119
Universal Containers (UC) uses Active Directory (AD) as their identity store for employees and must continue to do so for network access. UC is undergoing a major transformation program and moving all of their enterprise applications to cloud platforms including Salesforct, Workday, and SAP HAN UC needs to implement an SSO solution for accessing all of the third-party cloud applications and the CIO is inclined to use Salesforce for all of their identity and access management needs.
Which two Salesforce license types does UC need for its employees'
Choose 2 answers
A . Company Community and Identity licenses
B . Identity and Identity Connect licenses
C . Chatter Only and Identity licenses
D . Salesforce and Identity Connect licenses
Answer: B, D
120
Universal Containers (UC) has a strict requirement to authenticate users to Salesforce using their mainframe credentials. The mainframe user store cannot be accessed from a SAML provider. UC would also like to have users in Salesforce created on the fly if they provide accurate mainframe credentials.
How can the Architect meet these requirements?
A . Use a Salesforce Login Flow to call out to a web service and create the user on the fly.
B . Use the SOAP API to create the user when created on the mainframe; implement Delegated
Authentication.
C . Implement Just-In-Time Provisioning on the mainframe to create the user on the fly.
D . Implement OAuth User-Agent Flow on the mainframe; use a Registration Handler to create the user on the
fly.
Answer: C
121
Which three different attributes can be used to identify the user in a SAML 65> assertion when Salesforce is acting as a Service Provider?
Choose 3 answers
A . Federation ID
B . Salesforce User ID
C . User Full Name
D . User Email Address
E . Salesforce Username
Answer: A, C, D
122
An architect needs to set up a Facebook Authentication provider as login option for a salesforce customer Community. What portion of the authentication provider setup associates a Facebook user with a salesforce user?
A . Consumer key and consumer secret
B . Federation ID
C . User info endpoint URL
D . Apex registration handler
D
123
Universal containers(UC) has decided to build a new, highly sensitive application on Force.com platform. The security team at UC has decided that they want users to provide a fingerprint in addition to
username/Password to authenticate to this application. How can an architect support fingerprints as a form of identification for salesforce Authentication?
A . Use salesforce Two-factor Authentication with callouts to a third-party fingerprint scanning application.
B . Use Delegated Authentication with callouts to a third-party fingerprint scanning application.
C . Use an appexchange product that does fingerprint scanning with native salesforce identity confirmation.
D . Use custom login flows with callouts to a third-party fingerprint scanning application.
Answer: D
124
Universal containers (UC) has implemented ansp-Initiated SAML flow between an external IDP and salesforce. A user at UC is attempting to login to salesforce1 for the first time and is being prompted for salesforce credentials instead of being shown the IDP login page.
What is the likely cause of the issue?
A . The 'Redirect to Identity Provider' option has been selected in the my domain configuration.
B . The user has not configured the salesforce1 mobile app to use my domain for login
C . The 'Redirect to identity provider' option has not been selected the SAML configuration.
D . The user has not been granted the 'Enable single Sign-on' permission
Answer: B
125
Universal containers (UC) built a customer Community for customers to buy products, review orders, and manage their accounts. UC has provided three different options for customers to log in to the customer Community: salesforce, Google, and Facebook. Which two role combinations are represented by the systems
in the scenario?
Choose 2 answers
A . Google is the service provider and Facebook is the identity provider
B . Salesforce is the service provider and Google is the identity provider
C . Facebook is the service provider and salesforce is the identity provider
D . Salesforce is the service provider and Facebook is the identity provider
Answer: B, D
126
Universal containers (UC) has implemented SAML -based single Sign-on for their salesforce application. UC is using pingfederate as the Identity provider. To access salesforce, Users usually navigate to a bookmarked link to my domain URL.
What type of single Sign-on is this?
A . Sp-Initiated
B . IDP-initiated with deep linking
C . IDP-initiated
D . Web server flow.
Answer: A
127
Universal containers (UC) would like to enable self - registration for their salesforce partner community users. UC wants to capture some custom data elements from the partner user, and based on these data elements, wants to assign the appropriate profile and account values. Which two actions should the architect
recommend to UC?
Choose 2 answers
A . Modify the communitiesselfregcontroller to assign the profile and account.
B . Modify the selfregistration trigger to assign profile and account.
C . Configure registration for communities to use a custom visualforce page.
D . Configure registration for communities to use a custom apex controller.
Answer: A, C
128
Universal containers (UC) does my domain enable in the context of a SAML SSO configuration?
Choose 2 answers
A . Resource deep linking
B . App launcher
C . SSO from salesforce1 mobile app.
D . Login forensics
Answer: A, C
129
Universal containers(UC) has implemented SAML-BASED single Sign-on for their salesforce application and is planning to provide access to salesforce on mobile devices using the salesforce1 mobile app. UC wants to ensure that single Sign-on is used for accessing the salesforce1 mobile app.
Which two recommendations should the architect make?
Choose 2 answers
A . Use the existing SAML SSO flow along with user agent flow.
B . Configure the embedded Web browser to use my domain URL.
C . Use the existing SAML SSO flow along with Web server flow
D . Configure the salesforce1 app to use the my domain URL
Answer: A, D
130
Universal containers (UC) is successfully using Delegated Authentication for their salesforce users. The service
supporting Delegated Authentication is written in Java. UC has a new CIO that is requiring all company Web services be RESR-ful and written in . NET.
Which two considerations should the UC Architect provide to the new CIO?
Choose 2 answers
A . Delegated Authentication will not work with a.net service.
B . Delegated Authentication will continue to work with rest services.
C . Delegated Authentication will continue to work with a.net service.
D . Delegated Authentication will not work with rest services.
Answer: C, D
131
customer service representatives at Universal containers (UC) are complaining that whenever they click on links to case records and are asked to login with SAML SSO, they are being redirected to the salesforce home tab and not the specific case record. What item should an architect advise the identity team at UC to
investigate first?
A . My domain is configured and active within salesforce.
B . The salesforce SSO settings are using http post
C . The identity provider is correctly preserving the Relay state
D . The users have the correct Federation ID within salesforce.
C
132
The CIO of universal containers(UC) wants to start taking advantage of the refresh token capability for the UC applications that utilize Oauth 2.0. UC has listed an architect to analyze all of the applications that use Oauth flows to. See where refresh Tokens can be applied. Which two OAuth flows should the architect consider in
their evaluation?
Choose 2 answers
A . Web server
B . Jwt bearer token
C . User-Agent
D . Username-password
Answer: A, C
133
Universal Containers (UC) implemented SSO to a third-party system for their Salesforce users to access the App Launcher. UC enabled ''User Provisioning'' on the Connected App so that changes to user accounts can be synched between Salesforce and the third-party system. However, UC quickly notices that changes to user
roles in Salesforce are not getting synched to the third-party system. What is the most likely reason for this
behavior?
A . User Provisioning for Connected Apps does not support role sync.
B . Required operation(s) was not mapped in User Provisioning Settings.
C . The Approval queue for User Provisioning Requests is unmonitored.
D . Salesforce roles have more than three levels in the role hierarchy.
Answer: A
134
Which two security risks can be mitigated by enabling Two-Factor Authentication (2FA) in Salesforce?
Choose 2 answers
A . Users leaving laptops unattended and not logging out of Salesforce.
B . Users accessing Salesforce from a public Wi-Fi access point.
C . Users choosing passwords that are the same as their Facebook password.
D . Users creating simple-to-guess password reset questions.
Answer: B, C
135
What is one of the roles of an Identity Provider in a Single Sign-on setup using SAML?
A . Validate token
B . Create token
C . Consume token
D . Revoke token
Answer: B
136
How should an Architect force users to authenticate with Two-factor Authentication (2FA) for Salesforce only when not connected to an internal company network?
A . Use Custom Login Flows with Apex to detect the user's IP address and prompt for 2FA if needed.
B . Add the list of company's network IP addresses to the Login Range list under 2FA Setup.
C . Use an Apex Trigger on the UserLogin object to detect the user's IP address and prompt for 2FA if needed.
D . Apply the 'Two-factor Authentication for User Interface Logins' permission and Login IP Ranges for all
Profiles.
Answer: A
137
Universal Containers (UC) is building an authenticated Customer Community for its customers. UC does not want customer credentials stored in Salesforce and is confident its customers would be willing to use their social media credentials to authenticate to the community. Which two actions should an Architect recommend
UC to take?
choose 2
A . Use Delegated Authentication to call the Twitter login API to authenticate users.
B . Configure an Authentication Provider for LinkedIn Social Media Accounts.
C . Create a Custom Apex Registration Handler to handle new and existing users.
D . Configure SSO Settings For Facebook to serve as a SAML Identity Provider.
Answer: B, C
138
Containers (UC) uses an internal system for recruiting and would like to have the candidates' info available in the Salesforce automatically when they are selected. UC decides to use OAuth to connect to Salesforce from the recruiting system and would like to do the authentication using digital certificates.
Which two OAuth flows should be considered to meet the requirement?
Choose 2 answers
A . JWT Bearer Token flow
B . Refresh Token flow
C . SAML Bearer Assertion flow
D . Web Service flow
Answer: A, C
139
Universal Containers (UC) has implemented a multi-org architecture in their company. Many users have licences across multiple orgs, and they are complaining about remembering which org and credentials are tied to which business process. Which two recommendations should the Architect make to address the
Complaints?
Choose 2 answers
A . Activate My Domain to Brand each org to the specific business use case.
B . Implement SP-Initiated Single Sign-on flows to allow deep linking.
C . Implement IdP-Initiated Single Sign-on flows to allow deep linking.
D . Implement Delegated Authentication from each org to the LDAP provider.
Answer: A, B
140
Universal Containers (UC) is looking to purchase a third-party application as an Identity Provider. UC is looking to develop a business case for the purchase in general and has enlisted an Architect for advice. Which two capabilities of an Identity Provider should the Architect detail to help strengthen the business case?
Choose 2 answers
A . The Identity Provider can authenticate multiple applications.
B . The Identity Provider can authenticate multiple social media accounts.
C . The Identity provider can store credentials for multiple applications.
D . The Identity Provider can centralize enterprise password policy
Answer: A, D
141
Universal Containers (UC) wants to build a mobile application that twill be making calls to the Salesforce REST API. UC's Salesforce implementation relies heavily on custom objects and custom Apex code. UC does not want its users to have to enter credentials every time they use the app. Which two scope values should an
Architect recommend to UC?
Choose 2 answers.
A . Custom_permissions
B . Api
C . Refresh_token
D . Full
Answer: B, C
142
Universal Containers (UC) has a mobile application for its employees that uses data from Salesforce as well as uses Salesforce for Authentication purposes. UC wants its mobile users to only enter their credentials the first time they run the app. The application has been live for a little over 6 months, and all of the users who were
part of the initial launch are complaining that they have to re-authenticate. UC has also recently changed the URI Scheme associated with the mobile app. What should the Architect at UC first investigate? Universal Containers (UC) has a mobile application for its employees that uses data from Salesforce as well as uses Salesforce for Authentication purposes. UC wants its mobile users to only enter their credentials the first time they run the app. The application has been live for a little over 6 months, and all of the users who were part of the initial launch are complaining that they have to re-authenticate. UC has also recently changed the URI Scheme associated with the mobile app. What should the Architect at UC first investigate?
A . Check the Refresh Token policy defined in the Salesforce Connected App.
B . Validate that the users are checking the box to remember their passwords.
C . Verify that the Callback URL is correctly pointing to the new URI Scheme.
D . Confirm that the access Token's Time-To-Live policy has been set appropriately.
Answer: A
143
Universal Containers (UC) is building a custom Innovation platform on their Salesforce instance. The Innovation platform will be written completely in Apex and Visualforce and will use custom objects to store the Data. UC would like all users to be able to access the system without having to log in with Salesforce credentials.
UC will utilize a third-party idp using SAML SSO. What is the optimal Salesforce licence type for all of the UC employees?
A . Identity Licence.
B . Salesforce Licence.
C . External Identity Licence.
D . Salesforce Platform Licence.
Answer: D
144
Universal Containers (UC) has Active Directory (AD) as their enterprise identity store and would like to use it for Salesforce user authentication. UC expects to synchronize user data between Salesforce and AD and Assign the appropriate Profile and Permission Sets based on AD group membership. What would be the optimal way to implement SSO?
A . Use Active Directory with Reverse Proxy as the Identity Provider.
B . Use Microsoft Access control Service as the Authentication provider.
C . Use Active Directory Federation Service (ADFS) as the Identity Provider.
D . Use Salesforce Identity Connect as the Identity Provider.
Answer: D
145
Universal Containers (UC) is using a custom application that will act as the Identity Provider and will generate SAML assertions used to log in to Salesforce. UC is considering including custom parameters in the SAML assertion. These attributes contain sensitive data and are needed to authenticate the users. The assertions are
submitted to salesforce via a browser form post. The majority of the users will only be able to access Salesforce via UC's corporate network, but a subset of admins and executives would be allowed access from outside the corporate network on their mobile devices. Which two methods should an Architect consider to ensure that the sensitive data cannot be tampered with, nor accessible to anyone while in transit?
choose 2
A . Use the Identity Provider's certificate to digitally sign and Salesforce's Certificate to encrypt the payload.
B . Use Salesforce's Certificate to digitally sign the SAML Assertion and a Mobile Device Management client on
the users' mobile devices.
C . Use the Identity provider's certificate to digitally Sign and the Identity provider's certificate to encrypt the
payload.
D . Use a custom login flow to retrieve sensitive data using an Apex callout without including the attributes in
the assertion.
Answer: A, C
146
Universal containers (UC) uses a legacy Employee portal for their employees to collaborate and post their ideas. UC decides to use salesforce ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC decides to push ideas posted on the Employee portal to salesforce through API. UC decides
to use an API user using Oauth Username - password flow for the connection. How can the connection to salesforce be restricted only to the employee portal server?
A . Add the Employee portals IP address to the Trusted IP range for the connected App
B . Use a digital certificate signed by the employee portal Server.
C . Add the employee portals IP address to the login IP range on the user profile.
D . Use a dedicated profile for the user the Employee portal uses.
Answer: A
147
Universal containers (UC) uses a home-grown employee portal for their employees to collaborate. UC decides to use salesforce ideas to allow the employees to post ideas from the employee portal. When clicking some links in the employee portal, the users should be redirected to salesforce, authenticated, and presented with relevant pages. What scope should be requested when using the Oauth token to meet this requirement?
A . Web
B . Full
C . API
D . Visualforce
Answer: A
148
Universal containers (UC) is setting up their customer Community self-registration process. They are uncomfortable with the idea of assigning new users to a default account record. What will happen when customers self-register in the community?
A . The self-registration process will produce an error to the user.
B . The self-registration page will ask user to select an account.
C . The self-registration process will create a person Account record.
D . The self-registration page will create a new account record.
Answer: A
149
Universal containers (UC) has implemented a multi-org strategy and would like to centralize the management of their salesforce user profiles. What should the architect recommend to allow salesforce profiles to be managed from a central system of record?
A . Implement jit provisioning on the SAML IDP that will pass the profile id in each assertion.
B . Create an apex scheduled job in one org that will synchronize the other orgs profile.
C . Implement Delegated Authentication that will update the user profiles as necessary.
D . Implement an Oauthjwt flow to pass the profile credentials between systems.
Answer: A
150
Universal containers (UC) is concerned that having a self-registration page will provide a means for 'bots' or unintended audiences to create user records, thereby consuming licenses and adding dirty data. Which two actions should UC take to prevent unauthorised form submissions during the self-registration process?
Choose 2 answers
A . Use open-ended security questions and complex password requirements
B . Primarily use lookup and picklist fields on the self registration page.
C . Require a captcha at the end of the self-registration process.
D . Use hidden fields populated via java script events in the self-registration page.
Answer: C, D
151
Universal containers wants to set up SSO for a selected group of users to access external applications from salesforce through App launcher. Which three steps must be completed in salesforce to accomplish the goal?
A . Associate user profiles with the connected Apps.
B . Complete my domain and Identity provider setup.
C . Create connected apps for the external applications.
D . Complete single Sign-on settings in security controls.
E . Create named credentials for each external system
Answer: A, B, C
152
Universal containers (UC) has decided to use identity connect as it's identity provider. UC uses active directory(AD) and has a team that is very familiar and comfortable with managing ad groups. UC would like to use AD groups to help configure salesforce users. Which three actions can AD groups control through identity connect?
Choose 3 answers
A . Public Group Assignment
B . Granting report folder access
C . Role Assignment
D . Custom permission assignment
E . Permission sets assignment
Answer: A, C, E
153
Universal containers (UC) wants to integrate a Web application with salesforce. The UC team has implemented the Oauth web-server Authentication flow for authentication process. Which two considerations should an architect point out to UC?
Choose 2 answers
A . The web application should be hosted on a secure server.
B . The web server must be able to protect consumer privacy
C . The flow involves passing the user credentials back and forth.
D . The flow will not provide an Oauth refresh token back to the server.
Answer: A, B
154
A group of users try to access one of universal containers connected apps and receive the following error message : 'Failed : Not approved for access'. what is most likely to cause of the issue?
A . The use of high assurance sections are required for the connected App.
B . The users do not have the correct permission set assigned to them.
C . The connected App setting 'All users may self-authorize' is enabled.
D . The salesforce administrators gave revoked the Oauth authorization.
Answer: B
155
Universal containers (UC) has a classified information system that its call center team uses only when they are working on a case with a record type of 'classified'. They are only allowed to access the system when they own an open 'classified' case, and their access to the system is removed at all other times. They would like to
implement SAML SSO with salesforce as the IDP, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open 'classified' case record when they try to access the system using SSO. What is the recommended solution for automatically allowing or denying
access to the classified information system based on the open 'classified' case record criteria?
A . Use a custom connected App handler using apex to dynamically allow access to the system based on
whether the staff owns any open 'classified' cases.
B . Use apex trigger on case to dynamically assign permission sets that grant access when a user is assigned
with an open 'classified' case, and remove it when the case is closed.
C . Use custom SAML jit provisioning to dynamically query the user's open 'classified' cases when attempting
to access the classified information system
D . Use salesforce reports to identify users that currently owns open 'classified' cases and should be granted
access to the classified information system.
Answer: A
156
An architect has successfully configured SAML-BASED SSO for universal containers. SSO has been working for 3
months when Universal containers manually adds a batch of new users to salesforce. The new users receive an
error from salesforce when trying to use SSO. Existing users are still able to successfully use SSO to access salesforce. What is the probable cause of this behaviour?
A . The administrator forgot to reset the new user's salesforce password.
B . The Federation ID field on the new user records is not correctly set
C . The my domain capability is not enabled on the new user's profile.
D . The new users do not have the SSO permission enabled on their profiles.
Answer: B
157
Universal containers wants to implement single Sign-on for a salesforce org using an external identity provider and corporate identity store. What type of Authentication flow is required to support deep linking?
A . Web server Oauth SSO flow.
B . Identity-provider-initiated SSO
C . Service-provider-initiated SSO
D . Start URL on identity provider
Answer: C
158
Universal containers (UC) wants to implement Delegated Authentication for a certain subset of Salesforce users. Which three items should UC take into consideration while building the Web service to handle the Delegated Authentication request?
Choose 3 answers
A . The web service needs to include Source IP as a method parameter.
B . UC should whitelist all salesforce ip ranges on their corporate firewall.
C . The web service can be written using either the soap or rest protocol.
D . Delegated Authentication is enabled for the system administrator profile.
E . The return type of the Web service method should be a Boolean value
Answer: A, B, E
159
Universal containers (UC) has an e-commerce website while customers can buy products, make payments, and manage their accounts. UC decides to build a customer Community on Salesforce and wants to allow the customers to access the community for their accounts without logging in again. UC decides to implement ansp-Initiated SSO using a SAML-BASED complaint IDP. In this scenario where salesforce is the service provider, which two activities must be performed in salesforce to make sp-Initiated SSO work?
Choose 2 answers
A . Configure SAML SSO settings.
B . Configure Delegated Authentication
C . Create a connected App
D . Set up my domain
Answer: A, D
160
Universal containers (UC) uses an internal company portal for their employees to collaborate. UC decides to use salesforce ideas and provide the ability for employees to post ideas from the company portal. They use SAML-BASED SSO to get into the company portal and would like to leverage it to access salesforce. Most of the
users don't exist in salesforce and they would like the user records created in salesforce communities the first time they try to access salesforce. What recommendation should an architect make to meet this requirement?
A . Use on-the-fly provisioning
B . Use just-in-time provisioning
C . Use salesforce APIs to create users on the fly
D . Use Identity connect to sync users
Answer: B
161
After a recent audit, universal containers was advised to implement Two-factor Authentication for all of their critical systems, including salesforce. Which two actions should UC consider to meet this requirement?
Choose 2 answers
A . Require users to provide their RSA token along with their credentials.
B . Require users to supply their email and phone number, which gets validated.
C . Require users to enter a second password after the first Authentication
D . Require users to use a biometric reader as well as their password
Answer: A, D
162
In a typical SSL setup involving a trusted party and trusting party, what consideration should an Architect take into account when using digital certificates?
A . Use of self-signed certificate leads to lower maintenance for trusted party because multiple self-signed
certs need to be maintained.
B . Use of self-signed certificate leads to higher maintenance for trusted party because they have to act as the
trusted CA
C . Use of self-signed certificate leads to lower maintenance for trusting party because there is no trusted CA
cert to maintain.
D . Use of self-signed certificate leads to higher maintenance for trusting party because the cert needs to be
added to their truststore.
Answer: C
163
Universal Containers (UC) uses middleware to integrate multiple systems with Salesforce. UC has a strict, new requirement that usernames and passwords cannot be stored in any UC system. How can UC's middleware authenticate to Salesforce while adhering to this requirement?
A . Create a Connected App that supports the JWT Bearer Token OAuth Flow.
B . Create a Connected App that supports the Refresh Token OAuth Flow
C . Create a Connected App that supports the Web Server OAuth Flow.
D . Create a Connected App that supports the User-Agent OAuth Flow.
Answer: A
164
Containers (UC) uses a legacy Employee portal for their employees to collaborate. Employees access the portal from their company's internal website via SSO. It is set up to work with SiteMinder and Active Directory. The Employee portal has features to support posing ideas. UC decides to use Salesforce Ideas for voting and better
tracking purposes. To avoid provisioning users on Salesforce, UC decides to integrate Employee portal ideas with Salesforce idea through the API. What is the role of Salesforce in the context of SSO, based on this scenario?
A . Service Provider, because Salesforce is the application for managing ideas.
B . Connected App, because Salesforce is connected with Employee portal via API.
C . Identity Provider, because the API calls are authenticated by Salesforce.
D . An independent system, because Salesforce is not part of the SSO setup
Answer: D
165
Universal Containers (UC) uses Salesforce to allow customers to keep track of the order status. The customers can log in to Salesforce using external authentication providers, such as Facebook and Google. UC is also leveraging the App Launcher to let customers access an of platform application for generating shipping labels.
The label generator application uses OAuth to provide users access. What license type should an Architect recommend for the customers?
A . Customer Community license
B . Identity license
C . Customer Community Plus license
D . External Identity license
Answer: B
166
Which three are capabilities of SAML-based Federated authentication?
Choose 3 answers
A . Trust relationships between Identity Provider and Service Provider are required.
B . SAML tokens can be in XML or JSON format and can be used interchangeably.
C . Web applications with no passwords are more secure and stronger against attacks.
D . Access tokens are used to access resources on the server once the user is authenticated.
E . Centralized federation provides single point of access, control and auditing.
Answer: A, D, E
167
Universal Containers (UC) is both a Salesforce and Google Apps customer. The UC IT team would like to manage the users for both systems in a single place to reduce administrative burden. Which two optimal ways can the IT team provision users and allow Single Sign-on between Salesforce and Google Apps ?
Choose 2 answers
A . Build a custom app running on Heroku as the Identity Provider that can sync user information between Salesforce and Google Apps.
B . Use a third-party product as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.
C . Use Identity Connect as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.
D . Use Salesforce as the Identity Provider and Google Apps as a Service Provider and configure User Provisioning for Connected Apps
Answer: B, D
168
Universal containers (UC) has implemented SAML SSO to enable seamless access across multiple applications. UC has regional salesforce orgs and wants it's users to be able to access them from their main Salesforce org seamless. Which action should an architect recommend?
A . Configure the main salesforce org as an Authentication provider.
B . Configure the main salesforce org as the Identity provider.
C . Configure the regional salesforce orgs as Identity Providers.
D . Configure the main Salesforce org as a service provider.
Answer: B
169
Universal containers (UC) wants to implement a partner community. As part of their implementation, UC would like to modify both the Forgot password and change password experience with custom branding for their partner community users. Which 2 actions should an architect recommend to UC?
Choose 2 answers
A . Build a community builder page for the change password experience and Custom Visualforce page for the
Forgot password experience.
B . Build a custom visualforce page for both the change password and Forgot password experiences.
C . Build a custom visualforce page for the change password experience and a community builder page for the
Forgot password experience.
D . Build a community builder page for both the change password and Forgot password experiences.
Answer: B, C
170
Universal containers uses an Employee portal for their employees to collaborate. employees access the portal from their company's internal website via SSO. It is set up to work with Active Directory. What is the role of Active Directory in this scenario?
A . Identity store
B . Authentication store
C . Identity provider
D . Service provider
Answer: C
171
Universal containers (UC) wants users to authenticate into their salesforce org using credentials stored in a custom identity store. UC does not want to purchase or use a third-party Identity provider. Additionally, UC is extremely wary of social media and does not consider it to be trust worthy. Which two options should an
architect recommend to UC?
Choose 2 answers
A . Use a professional social media such as LinkedIn as an Authentication provider
B . Build a custom web page that uses the identity store and calls frontdoor.jsp
C . Build a custom Web service that is supported by Delegated Authentication.
D . Implement the Openid protocol and configure an Authentication provider
Answer: C, D
172
Universal containers (UC) has a mobile application that calls the salesforce REST API. In order to prevent users from having to enter their credentials everytime they use the app, UC has enabled the use of refresh Tokens as part of the salesforce connected App and updated their mobile app to take advantage of the refresh token.
Even after enabling the refresh token, Users are still complaining that they have to enter their credentials once a day. What is the most likely cause of the issue?
A . The Oauth authorizations are being revoked by a nightly batch job.
B . The refresh token expiration policy is set incorrectly in salesforce
C . The app is requesting too many access Tokens in a 24-hour period
D . The users forget to check the box to remember their credentials.
Answer: B
173
Universal containers (UC) is setting up Delegated Authentication to allow employees to log in using their corporate credentials. UC's security team is concerned about the risk of exposing the corporate login service on the Internet and has asked that a reliable trust mechanism be put in place between the login service and
salesforce. What mechanism should an architect put in place to enable a trusted connection between the
login services and salesforce?
A . Include client ID and client secret in the login header callout.
B . Set up a proxy server for the login service in the DMZ.
C . Require the use of Salesforce security Tokens on password.
D . Enforce mutual Authentication between systems using SSL.
Answer: C
174
Which two roles of the systems are involved in an environment where salesforce users are enabled to access Google Apps from within salesforce through App launcher and connected App set up?
Choose 2 answers
A . Google is the identity provider
B . Salesforce is the identity provider
C . Google is the service provider
D . Salesforce is the service provider
Answer: B,D
175
Universal containers (UC) would like to enable SSO between their existing Active Directory infrastructure and salesforce. The it team prefers to manage all users in Active Directory and would like to avoid doing any initial setup of users in salesforce directly, including the correct assignment of profiles, roles and groups. Which two
optimal solutions should UC use to provision users in salesforce?
Choose 2 answers
A . Use the salesforce REST API to sync users from active directory to salesforce
B . Use an app exchange product to sync users from Active Directory to salesforce.
C . Use Active Directory Federation Services to sync users from active directory to salesforce.
D . Use Identity connect to sync users from Active Directory to salesforce
Answer: B, D
176
Universal containers wants salesforce inbound Oauth-enabled integration clients to use SAML-BASED single Sign-on for authentication. What Oauth flow would be recommended in this scenario?
A . User-Agent Oauth flow
B . SAML assertion Oauth flow
C . User-Token Oauth flow
D . Web server Oauth flow
Answer: B
177
Universal containers wants to implement SAML SSO for their internal salesforce users using a third-party IDP. After some evaluation, UC decides not to set up my domain for their salesforce.org. How does that decision impact their SSO implementation?
A . Neithersp - nor IDP - initiated SSO will work
B . Either sp - or IDP - initiated SSO will work
C . IDP - initiated SSO will not work
D . Sp-Initiated SSO will not work
Answer: A
178
Universal Containers (UC) has an existing web application that it would like to access from Salesforce without requiring users to re-authenticate. The web application is owned UC and the UC team that is responsible for it is willing to add new javascript code and/or libraries to the application. What implementation should an
Architect recommend to UC?
A . Create a Canvas app and use Signed Requests to authenticate the users.
B . Rewrite the web application as a set of Visualforce pages and Apex code.
C . Configure the web application as an item in the Salesforce App Launcher.
D . Add the web application as a ConnectedApp using OAuth User-Agent flow.
Answer: A
179
IT security at Unversal Containers (UC) us concerned about recent phishing scams targeting its users and wants to add additional layers of login protection. What should an Architect recommend to address the issue?
A . Use the Salesforce Authenticator mobile app with two-step verification
B . Lock sessions to the IP address from which they originated.
C . Increase Password complexity requirements in Salesforce.
D . Implement Single Sign-on using a corporate Identity store.
Answer: A
180
Universal Containers (UC) is planning to deploy a custom mobile app that will allow users to get e-signatures from its customers on their mobile devices. The mobile app connects to Salesforce to upload the e-signature as a file attachment and uses OAuth protocol for both authentication and authorization.
What is the most recommended and secure OAuth scope setting that an Architect should recommend?
A . Id
B . Web
C . Api
D . Custom_permissions
Answer: D
181
Universal Containers (UC) uses a home-grown Employee portal for their employees to collaborate. UC decides to use Salesforce Ideas to allow employees to post Ideas from the Employee portal. When users click on some of the links in the Employee portal, the users should be redirected to Salesforce, authenticated, and presented
with the relevant pages. What OAuth flow is best suited for this scenario?
A . Web Application flow
B . SAML Bearer Assertion flow
C . User-Agent flow
D . Web Server flow
Answer: D
182
Universal Containers (UC) wants its users to access Salesforce and other SSO-enabled applications from a custom web page that UC magnets. UC wants its users to use the same set of credentials to access each of the applications. what SAML SSO flow should an Architect recommend for UC?
A . SP-Initiated with Deep Linking
B . SP-Initiated
C . IdP-Initiated
D . User-Agent
Answer: C
183
The security team at Universal Containers (UC) has identified exporting reports as a high-risk action and would like to require users to be logged into Salesforce with their Active Directory (AD) credentials when doing so. For all other users of Salesforce, users should be allowed to use AD Credentials or Salesforce credentials. What solution should be recommended to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with Salesforce credentials?
A . Use SAML Federated Authentication and block access to reports when accessed through a Standard Assurance session.
B . Use SAML Federated Authentication and Custom SAML JIT Provisioning to dynamically and or remove a permission set that grants the Export Reports Permission.
C . Use SAML federated Authentication, treat SAML Sessions as High Assurance, and raise the session level required for exporting reports.
D . Use SAML federated Authentication with a Login Flow to dynamically add or remove a Permission Set that grants the Export Reports Permission.
Answer: C
184
Universal containers (UC) has a mobile application that it wants to deploy to all of its salesforce users, including customer Community users. UC would like to minimize the administration overhead, which two items should an architect recommend?
Choose 2 answers
A . Enable the 'Refresh Tokens is valid until revoked ' setting in the Connected App.
B . Enable the 'Enforce Ip restrictions' settings in the connected App.
C . Enable the 'All users may self-authorize' setting in the Connected App.
D . Enable the 'High Assurance session required' setting in the Connected App.
Answer: A, C
185
universal container plans to develop a custom mobile app for the sales team that will use salesforce for authentication and access management. The mobile app access needs to be restricted to only the sales team.
What would be the recommended solution to grant mobile app access to sales users?
A . Use a custom attribute on the user object to control access to the mobile app
B . Use connected apps Oauth policies to restrict mobile app access to authorized users.
C . Use the permission set license to assign the mobile app permission to sales users
D . Add a new identity provider to authenticate and authorize mobile users.
Answer: B
186
Universal containers (UC) is building a mobile application that will make calls to the salesforce REST API. Additionally UC would like to provide the optimal experience for its mobile users. Which two OAuth scopes should UC configure in the connected App?
Choose 2 answers
A . Refresh token
B . API
C . full
D . Web
Answer: A, B
187
Universal containers wants to build a custom mobile app connecting to salesforce using Oauth, and would like to restrict the types of resources mobile users can access. What Oauth feature of Salesforce should be used to achieve the goal?
A . Access Tokens
B . Mobile pins
C . Refresh Tokens
D . Scopes
Answer: D
188
Sales users at Universal containers use salesforce for Opportunity management. Marketing uses a third-party application called Nest for Lead nurturing that is accessed using username/password. The VP of sales wants to open up access to nest for all sales uses to provide them access to lead history and would like SSO for better adoption. Salesforce is already setup for SSO and uses Delegated Authentication. Nest can accept username/Password or SAML-based Authentication. IT teams have received multiple password-related issues for nest and have decided to set up SSO access for Nest for Marketing users as well. The CIO does not want to invest in a new IDP solution and is considering using Salesforce for this purpose. Which are appropriate license type choices for sales and marketing users, giving salesforce is using Delegated Authentication?
Choose 2 answers
A . Salesforce license for sales users and Identity license for Marketing users
B . Salesforce license for sales users and External Identity license for Marketing users
C . Identity license for sales users and Identity connect license for Marketing users
D . Salesforce license for sales users and platform license for Marketing users
Answer: A, D
189
Which two are valid choices for digital certificates when setting up two-way SSL between Salesforce and an external system.
Choose 2 answers
A . Use a trusted CA-signed certificate for salesforce and a trusted CA-signed cert for the external system
B . Use a trusted CA-signed certificate for salesforce and a self-signed cert for the external system
C . Use a self-signed certificate for salesforce and a self-signed cert for the external system
D . Use a self-signed certificate for salesforce and a trusted CA-signed cert for the external system
Answer: C, D
190
Universal Containers (UC) wants to integrate a third-party Reward Calculation system with Salesforce to calculate Rewards. Rewards will be calculated on a schedule basis and update back into Salesforce. The integration between Salesforce and the Reward Calculation System needs to be secure. Which are two
recommended practices for using OAuth flow in this scenario.
choose 2 answers
A . OAuth Refresh Token FLow
B . OAuth Username-Password Flow
C . OAuth SAML Bearer Assertion FLow
D . OAuth JWT Bearer Token FLow
Answer: C, D
191
Universal Containers (UC) has implemented SAML-based SSO solution for use with their multi-org Salesforce implementation, utilizing one of the the orgs as the Identity Provider. One user is reporting that they can log in to the Identity Provider org but get a generic SAML error message when accessing the other orgs. Which two considerations should the architect review to troubleshoot the issue?
Choose 2 answers
A . The Federation ID must be a valid Salesforce Username
B . The Federation ID must is case sensitive
C . The Federation ID must be in the form of an email address.
D . The Federation ID must be populated on the user record.
Answer: B, D
192
Containers (UC) has implemented SAML-based single Sign-on for their Salesforce application and is planning to provide access to Salesforce on mobile devices using the Salesforce1 mobile app. UC wants to ensure that Single Sign-on is used for accessing the Salesforce1 mobile App. Which two recommendations should the
Architect make?
Choose 2 Answers
A . Configure the Embedded Web Browser to use My Domain URL.
B . Configure the Salesforce1 App to use the MY Domain URL.
C . Use the existing SAML-SSO flow along with User Agent Flow.
D . Use the existing SAML SSO flow along with Web Server Flow.
Answer: B, C
193
Universal Containers is considering using Delegated Authentication as the sole means of Authenticating of Salesforce users. A Salesforce Architect has been brought in to assist with the implementation. What two risks Should the Architect point out?
Choose 2 answers
A . Delegated Authentication is enabled or disabled for the entire Salesforce org.
B . UC will be required to develop and support a custom SOAP web service.
C . Salesforce users will be locked out of Salesforce if the web service goes down.
D . The web service must reside on a public cloud service, such as Heroku
Answer: B, C
194
Universal Containers (UC) uses Global Shipping (GS) as one of their shipping vendors. Regional leads of GS need access to UC's Salesforce instance for reporting damage of goods using Cases. The regional leads also need access to dashboards to keep track of regional shipping KPIs. UC internally uses a third-party cloud
analytics tool for capacity planning and UC decided to provide access to this tool to a subset of GS employees. In addition to regional leads, the GS capacity planning team would benefit from access to this tool. To access the analytics tool, UC IT has set up Salesforce as the Identity provider for Internal users and would like to
follow the same approach for the GS users as well. What are the most appropriate license types for GS Regional Leads and the GS Capacity Planners?
Choose 2 Answers
A . Customer Community Plus license for GS Regional Leads and External Identity for GS Capacity Planners.
B . Customer Community Plus license for GS Regional Leads and Customer Community license for GS Capacity
Planners.
C . Identity Licence for GS Regional Leads and External Identity license for GS capacity Planners.
D . Customer Community license for GS Regional Leads and Identity license for GS Capacity Planners.
Answer: B, D
195
Universal Containers (UC) employees have Salesforce access from restricted IP ranges only, to protect against unauthorised access. UC wants to roll out the Salesforce1 mobile app and make it accessible from any location. Which two options should an Architect recommend?
Choose 2 answers
A . Relax the IP restriction with a second factor in the Connect App settings for Salesforce1 mobile app.
B . Remove existing restrictions on IP ranges for all types of user access.
C . Relax the IP restrictions in the Connect App settings for the Salesforce1 mobile app.
D . Use Login Flow to bypass IP range restriction for the mobile app.
Answer: A, C
196
Which two statements are capable of Identity Connect?
Choose 2 answers
A . Synchronization of Salesforce Permission Set Licence Assignments.
B . Supports both Identity-Provider-Initiated and Service-Provider-Initiated SSO.
C . Support multiple orgs connecting to multiple Active Directory servers.
D . Automated user synchronization and de-activation.
Answer: B, D
197
Universal Containers (UC) has built a custom token-based Two-factor authentication (2FA) system for their existing on-premise applications. They are now implementing Salesforce and would like to enable a Two-factor login process for it, as well. What is the recommended solution as Architect should consider?
A . Use the custom 2FA system for on-premise applications and native 2FA for Salesforce.
B . Replace the custom 2FA system with an AppExchange App that supports on premise application and salesforce.
C . Use Custom Login Flows to connect to the existing custom 2FA system for use in Salesforce.
D . Replace the custom 2FA system with Salesforce 2FA for on-premise applications and Salesforce.
Answer: C
198
Universal Containers (UC) would like its community users to be able to register and log in with Linkedin or Facebook Credentials. UC wants users to clearly see Facebook &Linkedin Icons when they register and login.
What are the two recommended actions UC can take to achieve this Functionality?
Choose 2 answers
A . Enable Facebook and Linkedin as Login options in the login section of the Community configuration.
B . Create custom Registration Handlers to link Linkedin and facebook accounts to user records.
C . Store the Linkedin or Facebook user IDs in the Federation ID field on the Salesforce User record.
D . Create custom buttons for Facebook and inkedin using JAVAscript/CSS on a custom Visualforce page.
Answer: A, B
199
Universal containers (UC) has multiple salesforce orgs and would like to use a single identity provider to access all of their orgs. How should UC'S architect enable this behavior?
A . Ensure that users have the same email value in their user records in all of UC's salesforce orgs.
B . Ensure the same username is allowed in multiple orgs by contacting salesforce support.
C . Ensure that users have the same Federation ID value in their user records in all of UC's salesforce orgs.
D . Ensure that users have the same alias value in their user records in all of UC's salesforce orgs.
Answer: C
200
Universal Containers (UC) is building a customer community and will allow customers to authenticate using Facebook credentials. The First time the user authenticating using facebook, UC would like a customer account created automatically in their Accounting system. The accounting system has a web service accessible to Salesforce for the creation of accounts. How can the Architect meet these requirements?
A . Create a custom application on Heroku that manages the sign-on process from Facebook.
B . Use JIT Provisioning to automatically create the account in the accounting system.
C . Add an Apex callout in the registration handler of the authorization provider.
D . Use OAuth JWT flow to pass the data from Salesforce to the Accounting System.
Answer: C
201
In an SP-Initiated SAML SSO setup where the user tries to access a resource on the Service Provider, What HTTP param should be used when submitting a SAML Request to the Idp to ensure the user is returned to the intended resourse after authentication?
A . RedirectURL
B . RelayState
C . DisplayState
D . StartURL
Answer: B
202
What are three capabilities of Delegated Authentication?
Choose 3 answers
A . It can be assigned by Custom Permissions.
B . It can connect to SOAP services.
C . It can be assigned by Permission Sets.
D . It can be assigned by Profiles.
E . It can connect to REST services.
Answer: B, C, E
203
Universal Containers (UC) has a Customer Community that uses Facebook for Authentication. UC would like to ensure that Changes in the Facebook profile are reflected on the appropriate Customer Community user: How can this requirement be met?
A . Use the updateUser method on the registration Handler Class.
B . Develop a scheduled job that calls out to Facebook on a nightly basis.
C . Use information in the signed Request that is received from facebook.
D . Use SAML Just-In-Time Provisioning between Facebook and Salesforce.
Answer: A
204
Containers (UC) has an existing Customer Community. UC wants to expand the self-registration capabilities such that customers receive a different community experience based on the data they provide during the registration process. What is the recommended approach an Architect Should recommend to UC?
A . Create an After Insert Apex trigger on the user object to assign specific custom permissions.
B . Create separate login flows corresponding to the different community user personas.
C . Modify the Community pages to utilize specific fields on the User and Contact records.
D . Modify the existing Communities registration controller to assign different profiles.
Answer: C
205
Universal Containers (UC) has an existing e-commerce platform and is implementing a new customer community. They do not want to force customers to register on both applications due to concern over the customers experience. It is expected that 25% of the e-commerce customers will utilize the customer community . The e-commerce platform is capable of generating SAML responses and has an existing REST-ful. API capable of managing users. How should UC create the identities of its e-commerce users with the
customer community?
A . Use SAML JIT in the Customer Community to create users when a user tries to login to the community from
the e-commerce site.
B . Use the e-commerce REST API to create users when a user self-register on the customer community and
use SAML to allow SSO.
C . Use a nightly batch ETL job to sync users between the Customer Community and the e-commerce platform
and use SAML to allow SSO.
D . Use the standard Salesforce API to create users in the Community When a User is Created in the eCommerce platform and use SAML to allow SSO.
Answer: A
206
Which three are features of federated Single sign-on solutions?
Choose 3 Answers
A . It establishes trust between Identity Store and Service Provider.
B . It federates credentials control to authorized applications.
C . It solves all identity and access management problems.
D . It improves affiliated applications adoption rates.
E . It enables quick and easy provisioning and deactivating of users.
Answer: A, D, E
207
Universal Containers (UC) wants its closed Won opportunities to be synced to a Data Warehouse in near real time. UC has implemented Outbound Message to enable near real-time data sync. UC wants to ensure that communication between Salesforce and Target System is Secure.
What Certificate is sent along with the Outbound Message?
A . The CA-Signed Certificate from the Certificate and Key Management menu.
B . The default Client Certificate from the Develop--> API Menu.
C . The default Client Certificate or a Certificate from Certificate and Key Management menu.
D . The Self-Signed Certificates from the Certificate & Key Management menu.
Answer: B
208
An Architect needs to advise the team that manages the Identity Provider how to differentiate Salesforce from other Service Providers. What SAML SSO setting in Salesforce provides this capability?
A . Identity Provider Login URL.
B . Issuer.
C . Entity Id
D . SAML Identity Location.
Answer: C
209
Universal Containers (UC) has a Desktop application to collect leads for marketing campaigns. UC wants to extend this application to integrate with Salesforce to create leads. Integration between the desktop application and salesforce should be seamless. What Authorization flow should the Architect recommend?
A . JWT Bearer Token flow
B . Web Server Authentication Flow
C . User Agent Flow
D . Username and Password Flow
Answer: C
210
architect is troubleshooting some SAML-based SSO errors during testing. The Architect confirmed that all of the Salesforce SSO settings are correct. Which two issues outside of the Salesforce SSO settings are most likely contributing to the SSO errors the Architect is encountering?
Choose 2 Answers
A . The Identity Provider is also used to SSO into five other applications.
B . The clock on the Identity Provider server is twenty minutes behind Salesforce.
C . The Issuer Certificate from the Identity Provider expired two weeks ago.
D . The default language for the Identity Provider and Salesforce are Different.
Answer: B, C
211
Under which scenario Web Server flow will be used?
A . Used for web applications when server-side code needs to interact with APIS.
B . Used for server-side components when page needs to be rendered.
C . Used for mobile applications and testing legacy Integrations.
D . Used for verifying Access protected resources.
Answer: A
212
Containers (UC) has decided to implement a federated single Sign-on solution using a third-party Idp. In reviewing the third-party products, they would like to ensure the product supports the automated provisioning and deprovisioning of users. What are the underlining mechanisms that the UC Architect must
ensure are part of the product?
A . SOAP API for provisioning; Just-in-Time (JIT) for Deprovisioning.
B . Just-In-time (JIT) for Provisioning; SOAP API for Deprovisioning.
C . Provisioning API for both Provisioning and Deprovisioning.
D . Just-in-Time (JIT) for both Provisioning and Deprovisioning.
Answer: D
213
A group of users try to access one of Universal Containers' Connected Apps and receive the following error
message: ' Failed: Not approved for access.' What is the most likely cause of this issue?
A . The Connected App settings 'All users may self-authorize' is enabled.
B . The Salesforce Administrators have revoked the OAuth authorization.
C . The Users do not have the correct permission set assigned to them.
D . The User of High Assurance sessions are required for the Connected App.
Answer: C
214
What item should an Architect consider when designing a Delegated Authentication implementation?
A . The Web service should be secured with TLS using Salesforce trusted certificates.
B . The Web service should be able to accept one to four input method parameters.
C . The web service should use the Salesforce Federation ID to identify the user.
D . The Web service should implement a custom password decryption method.
Answer: A
215
Universal Containers (UC) wants to build a custom mobile app for their field reps to create orders in salesforce. After the first time the users log in, they must be able to access salesforce upon opening the mobile app without being prompted to log in again. What Oauth flows should be considered to support this requirement?
A . Web Server flow with a Refresh Token.
B . Mobile Agent flow with a Bearer Token.
C . User Agent flow with a Refresh Token.
D . SAML Assertion flow with a Bearer Token.
Answer: C
216
Universal Containers (UC) is building an integration between Salesforce and a legacy web applications using
the canvas framework. The security for UC has determined that a signed request from Salesforce is not an adequate authentication solution for the Third-Party app. Which two options should the Architect consider for authenticating the third-party app using the canvas framework?
Choose 2 Answers
A . Utilize the SAML Single Sign-on flow to allow the third-party to authenticate itself against UC's IdP.
B . Utilize Authorization Providers to allow the third-party appliction to authenticate itself against Salesforce as
the Idp.
C . Utilize Canvas OAuth flow to allow the third-party appliction to authenticate itself against Salesforce as the
Idp.
D . Create a registration handler Apex class to allow the third-party appliction to authenticate itself against
Salesforce as the Idp.
Answer: A, C
217
Universal containers (UC) would like to enable SAML-BASED SSO for a salesforce partner community. UC has an existing ldap identity store and a third-party portal. They would like to use the existing portal as the primary site these users access, but also want to allow seamless access to the partner community.
What SSO flow should an architect recommend?
A . User-Agent
B . IDP-initiated
C . Sp-Initiated
D . Web server
Answer: B
218
Universal Containers (UC) built an integration for their employees to post, view, and vote for ideas in Salesforce from an internal Company portal. When ideas are posted in Salesforce, links to the ideas are created in the company portal pages as part of the integration process. The Company portal connects to
Salesforce using OAuth. Everything is working fine, except when users click on links to existing ideas, they are always taken to the Ideas home page rather than the specific idea, after authorization. Which OAuth URL parameter can be used to retain the original requested page so that a user can be redirected correctly after
OAuth authorization?
A . Redirect_uri
B . State
C . Scope
D . Callback_uri
Answer: A
219
Universal Containers (UC) has implemented SSO according to the diagram below. uses SAML while Salesforce Org 1 uses OAuth 2.0. Users usually start their day by first attempting to log into Salesforce Org 2 and then later in the day, they will log into either the Financial System or CPQ system depending upon their job position.
Which two systems are acting as Identity Providers?
A . Financial System
B . Pingfederate
C . Salesforce Org 2
D . Salesforce Org 1
Answer: B, D
220
Universal Containers (UC) wants to build a few applications that leverage the Salesforce REST API. UC has asked its Architect to describe how the API calls will be authenticated to a specific user.
Which two mechanisms can the Architect provide?
Choose 2 Answers
A . Authentication Token
B . Session ID
C . Refresh Token
D . Access Token
Answer: C, D
221
Universal Containers (UC) is implementing Salesforce and would like to establish SAML SSO for its users to log in. UC stores its corporate user identities in a Custom Database. The UC IT Manager has heard good things about Salesforce Identity Connect as an Idp, and would like to understand what limitations they may face if they decided to use Identity Connect in their current environment. What limitation Should an Architect inform the IT Manager about?
A . Identity Connect will not support user provisioning in UC's current environment.
B . Identity Connect will only support Idp-initiated SAML flows in UC's current environment.
C . Identity Connect will only support SP-initiated SAML flows in UC's current environment.
D . Identity connect is not compatible with UC's current identity environment.
Answer: A
222
An Architect has configured a SAML-based SSO integration between Salesforce and an external Identity provider and is ready to test it. When the Architect attempts to log in to Salesforce using SSO, the Architect receives a SAML error. Which two optimal actions should the Architect take to troubleshoot the issue?
choose 2
A . Ensure the Callback URL is correctly set in the Connected Apps settings.
B . Use a browser that has an add-on/extension that can inspect SAML.
C . Paste the SAML Assertion Validator in Salesforce.
D . Use the browser's Development tools to view the Salesforce page's markup.
Answer: B, C
223
Universal Containers (UC) has decided to use Salesforce as an Identity Provider for multiple external applications. UC wants to use the salesforce App Launcher to control the Apps that are available to individual users. Which three steps are required to make this happen?
A . Add each connected App to the App Launcher with a Start URL.
B . Set up an Auth Provider for each External Application.
C . Set up Salesforce as a SAML Idp with My Domain.
D . Set up Identity Connect to Synchronize user data.
E . Create a Connected App for each external application.
Answer: A, C, E
224
Universal Containers (UC) has an existing Salesforce org configured for SP-Initiated SAML SSO with their Idp. A second Salesforce org is being introduced into the environment and the IT team would like to ensure they can use the same Idp for new org.
What action should the IT team take while implementing the second org?
A . Use the same SAML Identity location as the first org.
B . Use a different Entity ID than the first org.
C . Use the same request bindings as the first org.
D . Use the Salesforce Username as the SAML Identity Type
B
225
Universal Containers (UC) is looking to build a Canvas app and wants to use the corresponding Connected App to control where the app is visible. Which two options are correct in regards to where the app can be made visible under the Connected App setting for the Canvas app?
Choose 2 answers
A . As part of the body of a Salesforce Knowledge article.
B . In the mobile navigation menu on Salesforce for Android.
C . The sidebar of a Salesforce Console as a console component.
D . Included in the Call Control Tool that's part of Open CTI.
Answer: A, C
226
Universal containers(UC) wants to integrate a third-party reward calculation system with salesforce to calculate rewards. Rewards will be calculated on a schedule basis and update back into salesforce. The integration between Salesforce and the reward calculation system needs to be secure. Which are the
recommended best practices for using Oauth flows in this scenario?
Choose 2 answers
A . Oauth refresh token flow
B . Oauth SAML bearer assertion flow
C . Oauthjwt bearer token flow
D . Oauth Username-password flow
Answer: B, C
227
Universal containers(UC) has a customer Community that uses Facebook for authentication. UC would like to ensure that changes in the Facebook profile are reflected on the appropriate customer Community user. How can this requirement be met?
A . Use the updateuser() method on the registration handler class.
B . Use SAML just-in-time provisioning between Facebook and Salesforce
C . Use information in the signed request that is received from Facebook.
D . Develop a schedule job that calls out to Facebook on a nightly basis.
Answer: A
228
Universal containers (UC) employees have salesforce access from restricted ip ranges only, to protect against unauthorised access. UC wants to rollout the salesforce1 mobile app and make it accessible from any location.
Which two options should an architect recommend?
Choose 2 answers
A . Relax the ip restriction in the connect app settings for the salesforce1 mobile app
B . Use login flow to bypass ip range restriction for the mobile app.
C . Relax the ip restriction with a second factor in the connect app settings for salesforce1 mobile app
D . Remove existing restrictions on ip ranges for all types of user access.
Answer: A,C
229
The security team at Universal containers(UC) has identified exporting reports as a high-risk action and would like to require users to be logged into salesforce with their active directory (AD) credentials when doing so. For all other uses of Salesforce, Users should be allowed to use AD credentials or salesforce credentials. What solution should be recommended to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with salesforce credentials?
A . Use SAML Federated Authentication and Custom SAML jit provisioning to dynamically add or remove a
permission set that grants the Export Reports permission.
B . Use SAML Federated Authentication, treat SAML sessions as high assurance, and raise the session level
required for exporting reports.
C . Use SAML Federated Authentication and block access to reports when accesses through a standard
assurance session.
D . Use SAML Federated Authentication with a login flow to dynamically add or remove a permission set that
grants the export reports permission.
B
230
An architect needs to advise the team that manages the identity provider how to differentiate salesforce from other service providers. What SAML SSO setting in salesforce provides this capability?
A . Entity id
B . Issuer
C . Identity provider login URL
D . SAML identity location
Answer: A
231
Universal Containers (UC) wants its closed Won opportunities to be synced to a Data warehouse in near real time. UC has implemented Outbound Message to enable near real-time data sync. UC wants to ensure that communication between Salesforce and Target System is secure.
What certificate is sent along with the Outbound Message?
A . The Self-signed Certificates from the Certificate & Key Management menu.
B . The default client Certificate from the Develop--> API menu.
C . The default client Certificate or the Certificate and Key Management menu.
D . The CA-signed Certificate from the Certificate and Key Management Menu
Answer: B
232
Universal containers (UC) has a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app. Which two are recommendations to make the UC?
Choose 2 answers
A . Disallow the use of single Sign-on for any users of the mobile app.
B . Require high assurance sessions in order to use the connected App
C . Use Google Authenticator as an additional part of the logical processes.
D . Set login IP ranges to the internal network for all of the app users profiles.
Answer: B, C
233
Universal containers (UC) has built a custom based Two-factor Authentication (2fa) system for their existing on-premise applications. Thru are now implementing salesforce and would like to enable a Two-factor login process for it, as well. What is the recommended solution an architect should consider?
A . Replace the custom 2fa system with salesforce 2fa for on-premise application and salesforce.
B . Use the custom 2fa system for on-premise applications and native 2fa for salesforce.
C . Replace the custom 2fa system with an app exchange app that supports on-premise applications and
salesforce.
D . Use custom login flows to connect to the existing custom 2fa system for use in salesforce.
D
234
which three are features of federated Single Sign-on solutions?
Choose 3 answers
A . It federates credentials control to authorized applications.
B . It establishes trust between Identity store and service provider.
C . It solves all identity and access management problems.
D . It improves affiliated applications adoption rates.
E . It enables quick and easy provisioning and deactivating of users
Answer: B, D, E
235
Universal Containers (UC) has a desktop application to collect leads for marketing campaigns. UC wants to extend this application to integrate with Salesforce to create leads. Integration between the desktop application and Salesforce should be seamless. What Authorization flow should the Architect recommend?
A . JWT Bearer Token Flow
B . Web Server Authentication Flow
C . User Agent Flow
D . Username and Password Flow
Answer: C
236
Universal Containers wants to implement SAML SSO for their internal Salesforce users using a third-party IdP. After some evaluation, UC decides not to set up My Domain for their Salesforce org. How does that decision impact their SSO implementation?
A . SP-initiated SSO will not work.
B . Neither SP- nor IdP-initiated SSO will work.
C . Either SP- or IdP-initiated SSO will work.
D . IdP-initiated SSO will not work.
B
237
Which two capabilities does My Domain enable in the context of a SAML SSO configuration?
Choose 2 answers
A . App Launcher
B . Resource deep linking
C . SSO from Salesforce Mobile App
D . Login Forensics
Answer: B, C
238
Universal Containers (UC) wants to implement SAML SSO for their internal of Salesforce users using a thirdparty IdP. After some evaluation, UC decides NOT to 65 set up My Domain for their Salesforce org. How does that decision impact their SSO implementation?
A . IdP-initiated SSO will NOT work.
B . Neither SP- nor IdP-initiated SSO will work.
C . Either SP- or IdP-initiated SSO will work.
D . SP-initiated SSO will NOT work
Answer: B
239
Universal Containers (UC) has five Salesforce orgs (UC1, UC2, UC3, UC4, UC5). of Every user that is in UC2, UC3, UC4, and UC5 is also in UC1, however not all users 65* have access to every org. Universal Containers would like to simplify the authentication process such that all Salesforce users need to remember one set of credentials. UC would like to achieve this with the least impact to cost and maintenance. What approach should an Architect recommend to UC?
A . Purchase a third-party Identity Provider for all five Salesforce orgs to use and set up JIT user provisioning on
all other orgs.
B . Purchase a third-party Identity Provider for all five Salesforce orgs to use, but don't set up JIT user
provisioning for other orgs.
C . Configure UC1 as the Identity Provider to the other four Salesforce orgs and set up JIT user provisioning on
all other orgs.
D . Configure UC1 as the Identity Provider to the other four Salesforce orgs, but don't set up JIT user
provisioning for other orgs.
Answer: B
240
Universal Containers (UC) has a Customer Community that uses Facebook for of authentication. UC would like to ensure that changes in the Facebook profile are 65. reflected on the appropriate Customer Community user.
How can this requirement be met?
A . Use SAML Just-In-Time Provisioning between Facebook and Salesforce.
B . Use information in the Signed Request that is received from Facebook.
C . Develop a scheduled job that calls out to Facebook on a nightly basis.
D . Use the updateUser() method on the Registration Handler class.
D
241
Universal Containers (UC) wants to use Salesforce for sales orders and a legacy of system for order fulfillment. The legacy system must update the status of orders in 65* Salesforce in real time as they are fulfilled. UC decides to use OAuth for connecting the legacy system to Salesforce. What OAuth flow should be considered that doesn't require storing credentials, client secret or refresh tokens?
A . Web Server flow
B . JWT Bearer Token flow
C . Username-Password flow
D . User Agent flow
Answer: B
242
Universal Containers (UC) plans to use a SAML-based third-party IdP serving both of the Salesforce Partner Community and the corporate portal. UC partners will log in 65* to the corporate portal to access protected resources, including links to Salesforce resources. What would be the recommended way to configure the IdP so that seamless access can be achieved in this scenario?
A . Set up the corporate portal as a Connected App in Salesforce and use the Web server OAuth flow.
B . Configure SP-initiated SSO that passes the SAML token upon Salesforce resource access request.
C . Set up the corporate portal as a Connected App in Salesforce and use the User Agent OAuth flow.
D . Configure IdP-initiated SSO that passes the SAML token upon Salesforce resource access request.
Answer: D
243
Universal Containers (UC) has a classified information system that its call center team uses only when they are working on a case with a record type 'Classified'. They are only allowed to access the system when they own an open 'Classified' case, and their access to the system is removed at all other times. They would like to
implement SAML SSO eith Salesforce as the Idp, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open 'Classified' case record when they try to access the system using SSO. What is the recommended solution for automatically allowing or denying
the access to the classified information system based on the open 'classified' case record criteria?
A . Use Salesforce reports to identify users that currently owns open 'Classified' cases and should be granted access to the Classified information system.
B . Use Apex trigger on case to dynamically assign permission Sets that Grant access when an user is assigned with an open 'Classified' case, and remove it when the case is closed.
C . Use Custom SAML JIT Provisioning to dynamically query the user's open 'Classified' cases when attempting to access the classified information system.
D . Use a Common Connected App Handler using Apex to dynamically allow access to the system based on whether the staff owns any open 'Classified' Cases.
Answer: D
244
How should an Architect automatically redirect users to the login page of the external Identity provider when using an SP-Initiated SAML flow with Salesforce as a Service Provider?
A . Use visualforce as the landing page for My Domain to redirect users to the Identity Provider login Page.
B . Enable the Redirect to the Identity Provider setting under Authentication Services on the My domain Configuration.
C . Remove the Login page from the list of Authentication Services on the My Domain configuration.
D . Set the Identity Provider as default and enable the Redirect to the Identity Provider setting on the SAML Configuration.
Answer: C
245
Universal Containers (UC) has an e-commerce website where customers can buy products, make payments and manage their accounts. UC decides to build a Customer Community on Salesforce and wants to allow the customers to access the community from their accounts without logging in again. UC decides to implement an
SP-initiated SSO using a SAML-compliant Idp. In this scenario where Salesforce is the Service Provider, which two activities must be performed in Salesforce to make SP-initiated SSO work?
Choose 2 answers
A . Configure SAML SSO settings.
B . Create a Connected App.
C . Configure Delegated Authentication.
D . Set up My Domain.
Answer: A, D
246
Which three types of attacks would a 2-Factor Authentication solution help garden against?
A . Key logging attacks
B . Network perimeter attacks
C . Phishing attacks
D . Dictionary attacks
E . Man-in-the-middle attacks
Answer: A, B, D
247
What information does the 'Relaystate' parameter contain in sp-Initiated Single Sign-on?
A . Reference to a URL redirect parameter at the identity provider.
B . Reference to a URL redirect parameter at the service provider.
C . Reference to the login address URL of the service provider.
D . Reference to the login address URL of the identity Provider.
Answer: B
248
Universal Containers (UC) has a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in Salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app. Which two are recommendations to make the UC?
Choose 2 answers
A . Disallow the use of Single Sign-on for any users of the mobile app.
B . Require High Assurance sessions in order to use the Connected App.
C . Set Login IP Ranges to the internal network for all of the app users Profiles.
D . Use Google Authenticator as an additional part of the login process
Answer: B, D
